[git.ipfire.org] IPFire 2.x development tree branch, fifteen, updated. 901aa8b943e6442e4b3540a73fe7c79c9a9cd419

This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".

The branch, fifteen has been updated via 901aa8b943e6442e4b3540a73fe7c79c9a9cd419 (commit) via 39e360b26c3815adfb32ead9ea5e782898ca97c2 (commit) via 9c89c64de19f43d77e2bc720fef2b58486472878 (commit) via 85f129fe3cac3f5161a6451e137084d91282472a (commit) via 8039a71099eafbec9fb280ce9caff2c069bdff7f (commit) via 6d8eb5dec7bf36f9b1bd53c9354d980aea315d89 (commit) via 6921f0ea0a62b09fd3bb9772ffc50b86b49bef97 (commit) via 11760a707510a5173f41c58551e03438043f36d6 (commit) from b161bfa8683402036e0d3e08159aafda5d4c4310 (commit)

Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.

- Log ----------------------------------------------------------------- commit 901aa8b943e6442e4b3540a73fe7c79c9a9cd419 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Oct 25 11:40:06 2013 +0200

firewall: Fix layout of protocol selection.

commit 39e360b26c3815adfb32ead9ea5e782898ca97c2 Author: Alexander Marx amarx@ipfire.org Date: Thu Oct 24 16:24:45 2013 +0200

Firewall: added missing translation for short IPv6 protcol in ruletable

commit 9c89c64de19f43d77e2bc720fef2b58486472878 Author: Alexander Marx amarx@ipfire.org Date: Thu Oct 24 16:04:26 2013 +0200

Firewall: rename Protocol 41 in Dropdown and ruletable ->Now "IPv6 Encapsulation (protocol 41)" in dropdown and "IPv6 Encap" in ruletable

commit 85f129fe3cac3f5161a6451e137084d91282472a Author: Alexander Marx amarx@ipfire.org Date: Thu Oct 24 14:16:03 2013 +0200

Firewall: fix deleted files from core fifteen firewall

commit 8039a71099eafbec9fb280ce9caff2c069bdff7f Author: Alexander Marx amarx@ipfire.org Date: Thu Oct 24 09:42:42 2013 +0200

Firewall: renamed forwardfwctrl to firewallctrl

commit 6d8eb5dec7bf36f9b1bd53c9354d980aea315d89 Author: Alexander Marx amarx@ipfire.org Date: Thu Oct 24 09:24:12 2013 +0200

Firewall: Renamed directory /var/ipfire/forward to /var/ipfire/firewall

commit 6921f0ea0a62b09fd3bb9772ffc50b86b49bef97 Author: Alexander Marx amarx@ipfire.org Date: Thu Oct 24 08:15:48 2013 +0200

Firewall: renamed /config/forwardfw to config/firewall

commit 11760a707510a5173f41c58551e03438043f36d6 Author: Alexander Marx amarx@ipfire.org Date: Thu Oct 24 07:59:42 2013 +0200

Firewall: Added protocols IPv6 (41) and IPIP (94)

-----------------------------------------------------------------------

Summary of changes: config/backup/backup.pl | 47 ++--- config/backup/exclude | 3 +- config/backup/include | 2 +- config/cfgroot/general-functions.pl | 4 +- config/{forwardfw => firewall}/convert-dmz | 2 +- config/{forwardfw => firewall}/convert-outgoingfw | 12 +- config/{forwardfw => firewall}/convert-portfw | 4 +- config/{forwardfw => firewall}/convert-xtaccess | 2 +- config/{forwardfw => firewall}/firewall-lib.pl | 0 config/{forwardfw => firewall}/firewall-policy | 2 +- config/{forwardfw => firewall}/p2protocols | 0 config/{forwardfw => firewall}/rules.pl | 18 +- config/rootfiles/common/configroot | 22 +- config/rootfiles/common/misc-progs | 2 +- config/rootfiles/core/fifteen/filelists/firewall | 18 +- html/cgi-bin/firewall.cgi | 221 +++++++++++---------- html/cgi-bin/fwhosts.cgi | 4 +- html/cgi-bin/optionsfw.cgi | 14 +- html/cgi-bin/ovpnmain.cgi | 2 +- html/cgi-bin/p2p-block.cgi | 2 +- langs/de/cgi-bin/de.pl | 2 + langs/en/cgi-bin/en.pl | 2 + lfs/configroot | 26 +-- lfs/initscripts | 2 +- src/initscripts/init.d/firewall | 2 +- src/misc-progs/Makefile | 6 +- src/misc-progs/{forwardfwctrl.c => firewallctrl.c} | 4 +- 27 files changed, 216 insertions(+), 209 deletions(-) rename config/{forwardfw => firewall}/convert-dmz (99%) rename config/{forwardfw => firewall}/convert-outgoingfw (98%) rename config/{forwardfw => firewall}/convert-portfw (98%) rename config/{forwardfw => firewall}/convert-xtaccess (98%) rename config/{forwardfw => firewall}/firewall-lib.pl (100%) rename config/{forwardfw => firewall}/firewall-policy (98%) rename config/{forwardfw => firewall}/p2protocols (100%) rename config/{forwardfw => firewall}/rules.pl (97%) rename src/misc-progs/{forwardfwctrl.c => firewallctrl.c} (79%)

Difference in files: diff --git a/config/backup/backup.pl b/config/backup/backup.pl index 28e2dd8..5424a1e 100644 --- a/config/backup/backup.pl +++ b/config/backup/backup.pl @@ -66,15 +66,15 @@ elsif ($ARGV[0] eq 'restore') { system("/usr/sbin/ovpn-ccd-convert"); #OUTGOINGFW CONVERTER if( -d "${General::swroot}/outgoing"){ - if( -f "${General::swroot}/forward/config" ){ - unlink("${General::swroot}/forward/config"); - system("touch ${General::swroot}/forward/config"); - chown 99,99,"${General::swroot}/forward/config"; + if( -f "${General::swroot}/firewall/config" ){ + unlink("${General::swroot}/firewall/config"); + system("touch ${General::swroot}/firewall/config"); + chown 99,99,"${General::swroot}/firewall/config"; } - if( -f "${General::swroot}/forward/outgoing" ){ - unlink("${General::swroot}/forward/outgoing"); - system("touch ${General::swroot}/forward/outgoing"); - chown 99,99,"${General::swroot}/forward/outgoing"; + if( -f "${General::swroot}/firewall/outgoing" ){ + unlink("${General::swroot}/firewall/outgoing"); + system("touch ${General::swroot}/firewall/outgoing"); + chown 99,99,"${General::swroot}/firewall/outgoing"; } unlink("${General::swroot}/fwhosts/customgroups"); unlink("${General::swroot}/fwhosts/customhosts"); @@ -97,38 +97,33 @@ elsif ($ARGV[0] eq 'restore') { } #XTACCESS CONVERTER if( -d "${General::swroot}/xtaccess"){ - if( -f "${General::swroot}/forward/input" ){ - unlink("${General::swroot}/forward/input"); - system("touch ${General::swroot}/forward/input"); + if( -f "${General::swroot}/firewall/input" ){ + unlink("${General::swroot}/firewall/input"); + system("touch ${General::swroot}/firewall/input"); } #START CONVERTER "XTACCESS" system("/usr/sbin/convert-xtaccess"); - chown 99,99,"${General::swroot}/forward/input"; + chown 99,99,"${General::swroot}/firewall/input"; rmtree("${General::swroot}/xtaccess"); } #DMZ-HOLES CONVERTER - if( -d "${General::swroot}/dmzholes"){ - if( -f "${General::swroot}/forward/dmz" ){ - unlink("${General::swroot}/forward/dmz"); - system("touch ${General::swroot}/forward/dmz"); + if( -d "${General::swroot}/dmzholes" || -d "${General::swroot}/portfw"){ + if( -f "${General::swroot}/firewall/config" ){ + unlink("${General::swroot}/firewall/config"); + system("touch ${General::swroot}/firewall/config"); } #START CONVERTER "DMZ-HOLES" system("/usr/sbin/convert-dmz"); - chown 99,99,"${General::swroot}/forward/dmz"; + chown 99,99,"${General::swroot}/firewall/config"; rmtree("${General::swroot}/dmzholes"); } #PORTFORWARD CONVERTER if( -d "${General::swroot}/portfw"){ - if( -f "${General::swroot}/forward/nat" ){ - unlink("${General::swroot}/forward/nat"); - system("touch ${General::swroot}/forward/nat"); - } - #START CONVERTER "PORTFW" - system("/usr/sbin/convert-portfw"); - chown 99,99,"${General::swroot}/forward/nat"; - rmtree("${General::swroot}/portfw"); + #START CONVERTER "PORTFW" + System("/usr/sbin/convert-portfw"); + rmtree("${General::swroot}/portfw"); } - system("/usr/local/bin/forwardfwctrl"); + system("/usr/local/bin/firewallctrl"); } elsif ($ARGV[0] eq 'restoreaddon') { if ( -e "/tmp/$ARGV[1]" ){system("mv /tmp/$ARGV[1] /var/ipfire/backup/addons/backup/$ARGV[1]");} diff --git a/config/backup/exclude b/config/backup/exclude index 41ae8b5..83db234 100644 --- a/config/backup/exclude +++ b/config/backup/exclude @@ -1,7 +1,6 @@ *.tmp /var/ipfire/ethernet/settings -/var/ipfire/forward/bin/* +/var/ipfire/firewall/bin/* /var/ipfire/proxy/calamaris/bin/* /var/ipfire/qos/bin/qos.pl /var/ipfire/urlfilter/blacklists/*/*.db -/var/ipfire/forward/bin/* diff --git a/config/backup/include b/config/backup/include index 551b52d..1d55e4a 100644 --- a/config/backup/include +++ b/config/backup/include @@ -15,7 +15,7 @@ /var/ipfire/auth/users /var/ipfire/dhcp/* /var/ipfire/dnsforward/* -/var/ipfire/forward +/var/ipfire/firewall /var/ipfire/fwhosts /var/ipfire/main/* /var/ipfire/ovpn diff --git a/config/cfgroot/general-functions.pl b/config/cfgroot/general-functions.pl index 8236f07..48d68a2 100644 --- a/config/cfgroot/general-functions.pl +++ b/config/cfgroot/general-functions.pl @@ -1137,7 +1137,7 @@ sub write_file_utf8 ($) { return; }

-my $FIREWALL_RELOAD_INDICATOR = "${General::swroot}/forward/reread"; +my $FIREWALL_RELOAD_INDICATOR = "${General::swroot}/firewall/reread";

sub firewall_config_changed() { open FILE, ">$FIREWALL_RELOAD_INDICATOR" or die "Could not open $FIREWALL_RELOAD_INDICATOR"; @@ -1153,7 +1153,7 @@ sub firewall_needs_reload() { }

sub firewall_reload() { - system("/usr/local/bin/forwardfwctrl"); + system("/usr/local/bin/firewallctrl"); }

1; diff --git a/config/firewall/convert-dmz b/config/firewall/convert-dmz new file mode 100755 index 0000000..0f7c68e --- /dev/null +++ b/config/firewall/convert-dmz @@ -0,0 +1,193 @@ +#!/usr/bin/perl + +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2013 Alexander Marx amarx@ipfire.org # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +############################################################################### +# # +# This script converts old dmz holes rules from old firewall # +# to the new one. This is a 2-step process. # +# STEP1: read old config and normalize settings # +# STEP2: check valid ip and save valid rules to new firewall # +# # +############################################################################### +my @current=(); +my @alias=(); +my %configdmz=(); +my %ifaces=(); +my %configfwdfw=(); +require '/var/ipfire/general-functions.pl'; +my $dmzconfig = "${General::swroot}/dmzholes/config"; +my $fwdfwconfig = "${General::swroot}/firewall/config"; +my $ifacesettings = "${General::swroot}/ethernet/settings"; +my $field0 = 'ACCEPT'; +my $field1 = 'FORWARDFW'; +my $field2 = ''; #ON or emtpy +my $field3 = ''; #std_net_src or src_addr +my $field4 = ''; #ALL or IP-Address with /32 +my $field5 = ''; #std_net_tgt or tgt_addr +my $field6 = ''; #IP or network name +my $field11 = 'ON'; #use target port +my $field12 = ''; #TCP or UDP +my $field13 = 'All ICMP-Types'; +my $field14 = 'TGT_PORT'; +my $field15 = ''; #Port Number +my $field16 = ''; #remark +my $field26 = '00:00'; +my $field27 = '00:00'; +my $field28 = ''; +my $field29 = 'ALL'; +my $field30 = ''; +my $field31 = 'dnat'; + + +open(FILE, $dmzconfig) or die 'Unable to open config file.'; +my @current = <FILE>; +close(FILE); +#open LOGFILE +open (LOG, ">/var/log/converters/dmz-convert.log") or die $!; +&General::readhash($ifacesettings, %ifaces); +&General::readhasharray($fwdfwconfig,%configfwdfw); +&process_rules; +sub process_rules{ + foreach my $line (@current){ + my $now=localtime; + #get values from old configfile + my ($a,$b,$c,$d,$e,$f,$g,$h) = split (",",$line); + $h =~ s/\s*\n//gi; + print LOG "$now Processing A: $a B: $b C: $c D: $d E: $e F: $f G: $g H: $h\n"; + #Now convert values and check ip addresses + $a=uc($a); + $e=uc($e); + $field2=$e if($e eq 'ON'); + #SOURCE IP-check + $b=&check_ip($b); + if (&General::validipandmask($b)){ + #When ip valid, check if we have a network + my ($ip,$subnet) = split ("/",$b); + if ($f eq 'orange' && $ip eq $ifaces{'ORANGE_NETADDRESS'}){ + $field3='std_net_src'; + $field4='ORANGE'; + }elsif($f eq 'blue' && $ip eq $ifaces{'BLUE_NETADDRESS'}){ + $field3='std_net_src'; + $field4='BLUE'; + }elsif($f eq 'orange' && &General::IpInSubnet($ip,$ifaces{'ORANGE_NETADDRESS'},$ifaces{'ORANGE_NETMASK'})){ + $field3='src_addr'; + $field4=$b; + }elsif($f eq 'blue' && &General::IpInSubnet($ip,$ifaces{'BLUE_NETADDRESS'},$ifaces{'BLUE_NETMASK'})){ + $field3='src_addr'; + $field4=$b; + }else{ + print LOG "$now ->NOT Converted, source ip $b not part of source network $f \n\n"; + next; + } + }else{ + print LOG "$now -> SOURCE IP INVALID. \n\n"; + next; + } + #TARGET IP-check + $c=&check_ip($c); + if (&General::validipandmask($c)){ + my $now=localtime; + #When ip valid, check if we have a network + my ($ip,$subnet) = split ("/",$c); + if ($g eq 'green' && $ip eq $ifaces{'GREEN_NETADDRESS'}){ + $field5='std_net_tgt'; + $field6='GREEN'; + }elsif($g eq 'blue' && $ip eq $ifaces{'BLUE_NETADDRESS'}){ + $field5='std_net_tgt'; + $field6='BLUE'; + }elsif($g eq 'green' && &General::IpInSubnet($ip,$ifaces{'GREEN_NETADDRESS'},$ifaces{'GREEN_NETMASK'})){ + $field5='tgt_addr'; + $field6=$c; + }elsif($g eq 'blue' && &General::IpInSubnet($ip,$ifaces{'BLUE_NETADDRESS'},$ifaces{'BLUE_NETMASK'})){ + $field5='tgt_addr'; + $field6=$c; + }else{ + print LOG "$now ->NOT Converted, target ip $c not part of target network $g \n\n"; + next; + } + }else{ + print LOG "$now -> TARGET IP INVALID. \n\n"; + next; + } + $field12=$a; + #convert portrange + $d =~ tr/-/:/; + $field15=$d; + $field16=$h; + my $key = &General::findhasharraykey (%configfwdfw); + foreach my $i (0 .. 27) { $configfwdfw{$key}[$i] = "";} + $configfwdfw{$key}[0] = $field0; + $configfwdfw{$key}[1] = $field1; + $configfwdfw{$key}[2] = $field2; + $configfwdfw{$key}[3] = $field3; + $configfwdfw{$key}[4] = $field4; + $configfwdfw{$key}[5] = $field5; + $configfwdfw{$key}[6] = $field6; + $configfwdfw{$key}[7] = ''; + $configfwdfw{$key}[8] = ''; + $configfwdfw{$key}[9] = ''; + $configfwdfw{$key}[10] = ''; + $configfwdfw{$key}[11] = $field11; + $configfwdfw{$key}[12] = $field12; + $configfwdfw{$key}[13] = $field13; + $configfwdfw{$key}[14] = $field14; + $configfwdfw{$key}[15] = $field15; + $configfwdfw{$key}[16] = $field16; + $configfwdfw{$key}[17] = ''; + $configfwdfw{$key}[18] = ''; + $configfwdfw{$key}[19] = ''; + $configfwdfw{$key}[20] = ''; + $configfwdfw{$key}[21] = ''; + $configfwdfw{$key}[22] = ''; + $configfwdfw{$key}[23] = ''; + $configfwdfw{$key}[24] = ''; + $configfwdfw{$key}[25] = ''; + $configfwdfw{$key}[26] = $field26; + $configfwdfw{$key}[27] = $field27; + $configfwdfw{$key}[28] = $field28; + $configfwdfw{$key}[29] = $field29; + $configfwdfw{$key}[30] = $field30; + $configfwdfw{$key}[31] = $field31; + print LOG "$Now -> Converted to $field0,$field1,$field2,$field3,$field4,$field5,$field6,,,,,$field11,$field12,$field13,$field14,$field15,$field16,,,,,,,,,,$field26,$field27\n"; + } + &General::writehasharray($fwdfwconfig,%configfwdfw); +close (LOG); +} + +sub check_ip +{ + my $adr=shift; + my $a; + #ip with subnet in decimal + if($adr =~ m/^(\d\d?\d?).(\d\d?\d?).(\d\d?\d?).(\d\d?\d?)/(\d{1,2})$/){ + $adr=int($1).".".int($2).".".int($3).".".int($4); + my $b = &General::iporsubtodec($5); + $a=$adr."/".$b; + }elsif($adr =~ /^(\d{1,3}).(\d{1,3}).(\d{1,3}).(\d{1,3})$/){ + $adr=int($1).".".int($2).".".int($3).".".int($4); + if(&General::validip($adr)){ + $a=$adr."/32"; + } + } + if(&General::validipandmask($adr)){ + $a=&General::iporsubtodec($adr); + } + return $a; +} diff --git a/config/firewall/convert-outgoingfw b/config/firewall/convert-outgoingfw new file mode 100755 index 0000000..0d7f7d3 --- /dev/null +++ b/config/firewall/convert-outgoingfw @@ -0,0 +1,704 @@ +#!/usr/bin/perl +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2013 Alexander Marx amarx@ipfire.org # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +############################################################################### +# # +# This script converts old groups and firewallrules # +# to the new one. This is a 3-step process. # +# STEP1: convert groups ->LOG /var/log/converters # +# STEP2: convert rules ->LOG /var/log/converters # +# STEP3: convert P2P rules # +# # +############################################################################### + +require '/var/ipfire/general-functions.pl'; + +use Socket; +use File::Path; +use File::Copy; + +my $ipgrouppath = "${General::swroot}/outgoing/groups/ipgroups/"; +my $macgrouppath = "${General::swroot}/outgoing/groups/macgroups/"; +my $outgoingrules = "${General::swroot}/outgoing/rules"; +my $outfwsettings = "${General::swroot}/outgoing/settings"; +my $host = "Converted "; +my $confighosts = "${General::swroot}/fwhosts/customhosts"; +my $confignets = "${General::swroot}/fwhosts/customnetworks"; +my $configgroups = "${General::swroot}/fwhosts/customgroups"; +my $ovpnsettings = "${General::swroot}/ovpn/settings"; +my $ovpnconfig = "${General::swroot}/ovpn/ovpnconfig"; +my $ccdconfig = "${General::swroot}/ovpn/ccd.conf"; +my $fwdfwconfig = "${General::swroot}/firewall/config"; +my $outfwconfig = "${General::swroot}/firewall/outgoing"; +my $fwdfwsettings = "${General::swroot}/firewall/settings"; +my @ipgroups = qx(ls $ipgrouppath); +my @macgroups = qx(ls $macgrouppath); +my @hostarray=(); +my %outsettings=(); +my %hosts=(); +my %nets=(); +my %groups=(); +my %settingsovpn=(); +my %configovpn=(); +my %ccdconf=(); +my %fwconfig=(); +my %fwconfigout=(); +my %fwdsettings=(); +my %ownnet=(); +my %ovpnSettings = (); +&General::readhash("${General::swroot}/ovpn/settings", %ovpnSettings); +&General::readhash($outfwsettings,%outsettings); +&General::readhash("${General::swroot}/ethernet/settings", %ownnet); +#ONLY RUN if /var/ipfire/outgoing exists +if ( -d "/var/ipfire/outgoing"){ + &process_groups; + &process_rules; + &process_p2p; +} +system("/usr/local/bin/firewallctrl"); +sub process_groups +{ + if(! -d "/var/log/converters"){ mkdir("/var/log/converters");} + if( -f "/var/log/converters/groups-convert.log"){rmtree("var/log/converters");} + open (LOG, ">/var/log/converters/groups-convert.log") or die $!; + #IP Group processing + foreach my $group (@ipgroups){ + my $now=localtime; + chomp $group; + print LOG "\n$now Processing IP-GROUP: $group...\n"; + open (DATEI, "<$ipgrouppath/$group"); + my @zeilen = <DATEI>; + foreach my $ip (@zeilen){ + chomp($ip); + $ip =~ s/\s//gi; + print LOG "$now Check IP $ip from Group $group "; + my $val=&check_ip($ip); + if($val){ + push(@hostarray,$val.",ip"); + print LOG "$now -> OK\n"; + } + else{ + print LOG "$now -> IP "$ip" from group $group not converted (invalid IP) \n"; + } + $val=''; + } + &new_hostgrp($group,'ip'); + @hostarray=(); + } + $group=''; + @zeilen=(); + @hostarray=(); + #MAC Group processing + foreach my $group (@macgroups){ + chomp $group; + print LOG "\nProcessing MAC-GROUP: $group...\n"; + open (DATEI, "<$macgrouppath/$group"); + my @zeilen = <DATEI>; + foreach my $mac (@zeilen){ + chomp($mac); + $mac =~ s/\s//gi; + print LOG "$now Checking MAC $mac from group $group "; + #MAC checking + if(&General::validmac($mac)){ + $val=$mac; + } + if($val){ + push(@hostarray,$val.",mac"); + print LOG "$now -> OK\n"; + } + else{ + print LOG "$now -> Mac $mac from group $group not converted (invalid MAC)\n"; + } + $val=''; + } + &new_hostgrp($group,'mac'); + @hostarray=(); + @zeilen=(); + } + close (LOG); +} +sub check_ip +{ + my $adr=shift; + my $a; + #ip with subnet in decimal + if($adr =~ m/^(\d\d?\d?).(\d\d?\d?).(\d\d?\d?).(\d\d?\d?)/(\d{1,2})$/){ + $adr=int($1).".".int($2).".".int($3).".".int($4); + my $b = &General::iporsubtodec($5); + $a=$adr."/".$b; + }elsif($adr =~ /^(\d{1,3}).(\d{1,3}).(\d{1,3}).(\d{1,3})$/){ + $adr=int($1).".".int($2).".".int($3).".".int($4); + if(&General::validip($adr)){ + $a=$adr."/255.255.255.255"; + } + } + if(&General::validipandmask($adr)){ + $a=&General::iporsubtodec($adr); + } + return $a; +} +sub new_hostgrp +{ + &General::readhasharray($confighosts,%hosts); + &General::readhasharray($confignets,%nets); + &General::readhasharray($configgroups,%groups); + my $grp=shift; + my $run=shift; + my $name; #"converted" + my $name2; + my $name3; #custom host/custom net + foreach my $adr (@hostarray){ + if($run eq 'ip'){ + my ($ip,$type) = split(",",$adr); + my ($ippart,$subnet) = split("/",$ip); + my ($byte1,$byte2,$byte3,$byte4) = split(/./,$subnet); + if($byte4 eq '255'){ + print LOG "Processing SINGLE HOST $ippart/$subnet from group $grp\n"; + if(!&check_host($ip)){ + my $key = &General::findhasharraykey(%hosts); + $name="host "; + $name2=$name.$ippart; + $name3="Custom Host"; + $hosts{$key}[0] = $name2; + $hosts{$key}[1] = $type; + $hosts{$key}[2] = $ip; + $hosts{$key}[3] = ''; + $hosts{$key}[4] = 1; + print LOG "->Host (IP) $ip added to custom hosts\n" + }else{ + print LOG "->Host (IP) $ip already exists in custom hosts\n"; + $name="host "; + $name2=$name.$ippart; + foreach my $key (sort keys %hosts){ + if($hosts{$key}[0] eq $name2){ + $hosts{$key}[4]++; + } + } + $name="host "; + $name2=$name.$ippart; + $name3="Custom Host"; + } + }elsif($byte4 < '255'){ + print LOG "Processing NETWORK $ippart/$subnet from Group $grp\n"; + if(!&check_net($ippart,$subnet)){ + #Check if this network is one one of IPFire internal networks + if (($ownnet{'GREEN_NETADDRESS'} ne '' && $ownnet{'GREEN_NETADDRESS'} ne '0.0.0.0') && &General::IpInSubnet($ippart,$ownnet{'GREEN_NETADDRESS'},$ownnet{'GREEN_NETMASK'})) + { + $name2='GREEN'; + $name3='Standard Network'; + }elsif (($ownnet{'ORANGE_NETADDRESS'} ne '' && $ownnet{'ORANGE_NETADDRESS'} ne '0.0.0.0') && &General::IpInSubnet($ippart,$ownnet{'ORANGE_NETADDRESS'},$ownnet{'ORANGE_NETMASK'})) + { + $name2='ORANGE'; + $name3='Standard Network'; + }elsif (($ownnet{'BLUE_NETADDRESS'} ne '' && $ownnet{'BLUE_NETADDRESS'} ne '0.0.0.0') && &General::IpInSubnet($ippart,$ownnet{'BLUE_NETADDRESS'},$ownnet{'BLUE_NETMASK'})) + { + $name2='BLUE'; + $name3='Standard Network'; + }elsif ($ippart eq '0.0.0.0') + { + $name2='ALL'; + $name3='Standard Network'; + }elsif(defined($ovpnSettings{'DOVPN_SUBNET'}) && "$ippart/".&General::iporsubtodec($subnet) eq $ovpnSettings{'DOVPN_SUBNET'}) + { + $name2='OpenVPN-Dyn'; + $name3='Standard Network'; + }else{ + my $netkey = &General::findhasharraykey(%nets); + $name="net "; + $name2=$name.$ippart; + $name3="Custom Network"; + $nets{$netkey}[0] = $name2; + $nets{$netkey}[1] = $ippart; + $nets{$netkey}[2] = $subnet; + $nets{$netkey}[3] = ''; + $nets{$netkey}[4] = 1; + print LOG "->Network $ippart/$subnet added to custom networks\n"; + } + }else{ + print LOG "Network $ippart already exists in custom networks\n"; + $name="net "; + $name2=$name.$ippart; + foreach my $key (sort keys %nets){ + if($nets{$key}[0] eq $name2){ + $nets{$key}[4]++; + } + } + $name="net "; + $name2=$name.$ippart; + $name3="Custom Network"; + } + } + if($name2 && !&check_grp($grp,$name2)){ + my $grpkey = &General::findhasharraykey(%groups); + $groups{$grpkey}[0] = $grp; + $groups{$grpkey}[1] = ''; + $groups{$grpkey}[2] = $name2; + $groups{$grpkey}[3] = $name3; + $groups{$grpkey}[4] = 0; + print LOG "->$name2 added to group $grp\n"; + } + }elsif($run eq 'mac'){ + #MACRUN + my ($mac,$type) = split(",",$adr); + print LOG "Processing HOST (MAC) $mac\n"; + if(!&check_host($mac)){ + my $key = &General::findhasharraykey(%hosts); + $name="host "; + $name2=$name.$mac; + $name3="Custom Host"; + $hosts{$key}[0] = $name2; + $hosts{$key}[1] = $type; + $hosts{$key}[2] = $mac; + $hosts{$key}[3] = ''; + $hosts{$key}[4] = 1; + print LOG "->Host (MAC) $mac added to custom hosts\n"; + }else{ + print LOG "->Host (MAC) $mac already exists in custom hosts \n"; + $name="host "; + $name2=$name.$mac; + foreach my $key (sort keys %hosts){ + if($hosts{$key}[0] eq $name2){ + $hosts{$key}[4]++; + } + } + $name="host "; + $name2=$name.$mac; + $name3="Custom Host"; + } + if($name2 && !&check_grp($grp,$name2)){ + my $grpkey = &General::findhasharraykey(%groups); + $groups{$grpkey}[0] = $grp; + $groups{$grpkey}[1] = ''; + $groups{$grpkey}[2] = $name2; + $groups{$grpkey}[3] = $name3; + $groups{$grpkey}[4] = 0; + print LOG "->$name2 added to group $grp\n"; + } + } + } + @hostarray=(); + &General::writehasharray($confighosts,%hosts); + &General::writehasharray($configgroups,%groups); + &General::writehasharray($confignets,%nets); + +} +sub check_host +{ + my $ip=shift; + foreach my $key (sort keys %hosts) + { + if($hosts{$key}[2] eq $ip) + { + return 1; + } + } + return 0; +} +sub check_net +{ + my $ip=shift; + my $sub=shift; + foreach my $key (sort keys %nets) + { + if($nets{$key}[1] eq $ip && $nets{$key}[2] eq $sub) + { + return 1; + } + } + return 0; +} +sub check_grp +{ + my $grp=shift; + my $value=shift; + foreach my $key (sort keys %groups) + { + if($groups{$key}[0] eq $grp && $groups{$key}[2] eq $value) + { + return 1; + } + } + return 0; +} +sub process_rules +{ + my ($type,$action,$active,$grp1,$source,$grp2,$useport,$port,$prot,$grp3,$target,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to); + #open LOG + if( -f "/var/log/converters/outgoingfw-convert.log"){unlink ("/var/log/converters/outgoingfw-convert.log");} + open (LOG, ">/var/log/converters/outgoingfw-convert.log") or die $!; + + &General::readhash($fwdfwsettings,%fwdsettings); + if ($outsettings{'POLICY'} eq 'MODE1'){ + $fwdsettings{'POLICY'}='MODE1'; + $fwdsettings{'POLICY1'}='MODE2'; + $type='ALLOW'; + $action='ACCEPT'; + }else{ + $fwdsettings{'POLICY'}='MODE2'; + $fwdsettings{'POLICY1'}='MODE2'; + $type='DENY'; + $action='DROP'; + } + &General::writehash($fwdfwsettings,%fwdsettings); + open (DATEI, "<$outgoingrules"); + my @lines = <DATEI>; + foreach my $rule (@lines) + { + my $now=localtime; + chomp($rule); + $port=''; + print LOG "$now processing: $rule\n"; + my @configline=(); + @configline = split( /;/, $rule ); + my @prot=(); + if($configline[0] eq $type){ + #some variables we can use from old config + if($configline[1] eq 'on'){ $active='ON';}else{$active='';} + if($configline[3] eq 'all' && $configline[8] ne ''){ + push(@prot,"TCP"); + push(@prot,"UDP"); + }elsif($configline[3] eq 'all' && $configline[8] eq ''){ + push(@prot,""); + }else{ + push(@prot,$configline[3]); + } + if($configline[4] ne ''){ + $configline[4] =~ s/,/;/g; + $remark = $configline[4]; + }else{$remark = '';} + if($configline[9] eq 'Active'){ $log='ON';}else{$log='';} + if($configline[10] eq 'on' && $configline[11] eq 'on' && $configline[12] eq 'on' && $configline[13] eq 'on' && $configline[14] eq 'on' && $configline[15] eq 'on' && $configline[16] eq 'on'){ + if($configline[17] eq '00:00' && $configline[18] eq '00:00'){ + $time=''; + }else{ + $time='ON'; + } + }else{ + $time='ON'; + } + $time_mon=$configline[10]; + $time_tue=$configline[11]; + $time_wed=$configline[12]; + $time_thu=$configline[13]; + $time_fri=$configline[14]; + $time_sat=$configline[15]; + $time_sun=$configline[16]; + $time_from=$configline[17]; + $time_to=$configline[18]; + ############################################################ + #sourcepart + if ($configline[2] eq 'green') { + $grp1='std_net_src'; + $source='GREEN'; + }elsif ($configline[2] eq 'orange') { + $grp1='std_net_src'; + $source='ORANGE'; + }elsif ($configline[2] eq 'red') { + $grp1='std_net_src'; + $source='IPFire'; + &General::readhash($fwdfwsettings,%fwdsettings); + $fwdsettings{'POLICY1'}=$outsettings{'POLICY'}; + $fwdsettings{'POLICY'}=$outsettings{'POLICY'}; + &General::writehash($fwdfwsettings,%fwdsettings); + }elsif ($configline[2] eq 'blue') { + $grp1='std_net_src'; + $source='BLUE'; + }elsif ($configline[2] eq 'ipsec') { + print LOG "$now -> Rule not converted, ipsec+ interface is obsolet since IPFire 2.7 \n"; + next; + }elsif ($configline[2] eq 'ovpn') { + print LOG "$now ->Creating networks/groups for OpenVPN...\n"; + &build_ovpn_grp; + $grp1='cust_grp_src'; + $source='ovpn' + }elsif ($configline[2] eq 'ip') { + my $z=&check_ip($configline[5]); + if($z){ + my ($ipa,$subn) = split("/",$z); + $subn=&General::iporsubtocidr($subn); + $grp1='src_addr'; + $source="$ipa/$subn"; + }else{ + print LOG "$now -> Rule not converted, missing/invalid source ip "$configline[5]"\n"; + next; + } + }elsif ($configline[2] eq 'mac') { + if(&General::validmac($configline[6])){ + $grp1='src_addr'; + $source=$configline[6]; + }else{ + print LOG"$now -> Rule not converted, invalid MAC "$configline[6]" \n"; + next; + } + }elsif ($configline[2] eq 'all') { + $grp1='std_net_src'; + $source='ALL'; + }else{ + foreach my $key (sort keys %groups){ + if($groups{$key}[0] eq $configline[2]){ + $grp1='cust_grp_src'; + $source=$configline[2]; + } + } + if ($grp1 eq '' || $source eq ''){ + print LOG "$now -> Rule not converted, no valid source recognised\n"; + } + } + ############################################################ + #destinationpart + if($configline[7] ne ''){ + my $address=&check_ip($configline[7]); + if($address){ + my ($dip,$dsub) = split("/",$address); + $dsub=&General::iporsubtocidr($dsub); + $grp2='tgt_addr'; + $target="$dip/$dsub"; + }elsif(!$address){ + my $getwebsiteip=&get_ip_from_domain($configline[7]); + if ($getwebsiteip){ + $grp2='tgt_addr'; + $target=$getwebsiteip; + $remark.=" $configline[7]"; + }else{ + print LOG "$now -> Rule not converted, invalid domain "$configline[7]"\n"; + next; + } + } + }else{ + $grp2='std_net_tgt'; + $target='ALL'; + } + if($configline[8] ne '' && $configline[3] ne 'gre' && $configline[3] ne 'esp'){ + my @values=(); + my @parts=split(",",$configline[8]); + foreach (@parts){ + $_=~ tr/-/:/; + if (!($_ =~ /^(\d+):(\d+)$/)) { + if(&General::validport($_)){ + $useport='ON'; + push (@values,$_); + $grp3='TGT_PORT'; + }else{ + print LOG "$now -> Rule not converted, invalid destination Port "$configline[8]"\n"; + next; + } + }else{ + my ($a1,$a2) = split(/:/,$_); + if (&General::validport($a1) && &General::validport($a2) && $a1 < $a2){ + $useport='ON'; + push (@values,"$a1:$a2"); + $grp3='TGT_PORT'; + }else{ + print LOG "$now -> Rule not converted, invalid destination Port "$configline[8]"\n"; + next; + } + } + } + $port=join("|",@values); + @values=(); + @parts=(); + } + }else{ + print LOG "-> Rule not converted because not for Firewall mode $outsettings{'POLICY'} (we are only converting for actual mode)\n"; + } + &General::readhasharray($fwdfwconfig,%fwconfig); + &General::readhasharray($outfwconfig,%fwconfigout); + my $check; + my $chain; + foreach my $protocol (@prot){ + my $now=localtime; + if ($source eq 'IPFire'){ + $chain='OUTGOINGFW'; + }else{ + $chain='FORWARDFW'; + } + $protocol=uc($protocol); + print LOG "$now -> Converted: $action,$chain,$active,$grp1,$source,$grp2,$target,,,,,$useport,$protocol,,$grp3,$port,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to\n"; + #Put rules into system.... + ########################### + #check for double rules + foreach my $key (sort keys %fwconfig){ + if("$action,$chain,$active,$grp1,$source,$grp2,$target,,,,,$useport,$protocol,,$grp3,$port,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to" + eq "$fwconfig{$key}[0],$fwconfig{$key}[1],$fwconfig{$key}[2],$fwconfig{$key}[3],$fwconfig{$key}[4],$fwconfig{$key}[5],$fwconfig{$key}[6],,,,,$fwconfig{$key}[11],$fwconfig{$key}[12],,$fwconfig{$key}[14],$fwconfig{$key}[15],$fwconfig{$key}[16],$fwconfig{$key}[17],$fwconfig{$key}[18],$fwconfig{$key}[19],$fwconfig{$key}[20],$fwconfig{$key}[21],$fwconfig{$key}[22],$fwconfig{$key}[23],$fwconfig{$key}[24],$fwconfig{$key}[25],$fwconfig{$key}[26],$fwconfig{$key}[27]"){ + $check='on'; + next; + } + } + if($check ne 'on'){ + #increase groupcounter + my $check1; + if($grp1 eq 'cust_grp_src'){ + foreach my $key (sort keys %groups){ + if($groups{$key}[0] eq $source){ + $groups{$key}[4]++; + $check1='on'; + } + } + if($check1 eq 'on'){ + &General::writehasharray($configgroups,%groups); + } + } + if ($chain eq 'FORWARDFW'){ + my $key = &General::findhasharraykey(%fwconfig); + $fwconfig{$key}[0] = $action; + $fwconfig{$key}[1] = $chain; + $fwconfig{$key}[2] = $active; + $fwconfig{$key}[3] = $grp1; + $fwconfig{$key}[4] = $source; + $fwconfig{$key}[5] = $grp2; + $fwconfig{$key}[6] = $target; + $fwconfig{$key}[11] = $useport; + $fwconfig{$key}[12] = $protocol; + $fwconfig{$key}[14] = $grp3; + $fwconfig{$key}[15] = $port; + $fwconfig{$key}[16] = $remark; + $fwconfig{$key}[17] = $log; + $fwconfig{$key}[18] = $time; + $fwconfig{$key}[19] = $time_mon; + $fwconfig{$key}[20] = $time_tue; + $fwconfig{$key}[21] = $time_wed; + $fwconfig{$key}[22] = $time_thu; + $fwconfig{$key}[23] = $time_fri; + $fwconfig{$key}[24] = $time_sat; + $fwconfig{$key}[25] = $time_sun; + $fwconfig{$key}[26] = $time_from; + $fwconfig{$key}[27] = $time_to; + $fwconfig{$key}[28] = ''; + $fwconfig{$key}[29] = 'ALL'; + $fwconfig{$key}[30] = ''; + $fwconfig{$key}[31] = 'dnat'; + }else{ + my $key = &General::findhasharraykey(%fwconfigout); + $fwconfigout{$key}[0] = $action; + $fwconfigout{$key}[1] = $chain; + $fwconfigout{$key}[2] = $active; + $fwconfigout{$key}[3] = $grp1; + $fwconfigout{$key}[4] = $source; + $fwconfigout{$key}[5] = $grp2; + $fwconfigout{$key}[6] = $target; + $fwconfigout{$key}[11] = $useport; + $fwconfigout{$key}[12] = $protocol; + $fwconfigout{$key}[14] = $grp3; + $fwconfigout{$key}[15] = $port; + $fwconfigout{$key}[16] = $remark; + $fwconfigout{$key}[17] = $log; + $fwconfigout{$key}[18] = $time; + $fwconfigout{$key}[19] = $time_mon; + $fwconfigout{$key}[20] = $time_tue; + $fwconfigout{$key}[21] = $time_wed; + $fwconfigout{$key}[22] = $time_thu; + $fwconfigout{$key}[23] = $time_fri; + $fwconfigout{$key}[24] = $time_sat; + $fwconfigout{$key}[25] = $time_sun; + $fwconfigout{$key}[26] = $time_from; + $fwconfigout{$key}[27] = $time_to; + $fwconfigout{$key}[28] = ''; + $fwconfigout{$key}[29] = 'ALL'; + $fwconfigout{$key}[30] = ''; + $fwconfigout{$key}[31] = 'dnat'; + } + &General::writehasharray($fwdfwconfig,%fwconfig); + &General::writehasharray($outfwconfig,%fwconfigout); + } + } + @prot=(); + } + close(LOG); + @lines=(); +} +sub get_ip_from_domain +{ + $web=shift; + my $resolvedip; + my $checked; + my ($name,$aliases,$addrtype,$length,@addrs) = gethostbyname($web); + if(@addrs){ + $resolvedip=inet_ntoa($addrs[0]); + return $resolvedip; + } + return; +} +sub build_ovpn_grp +{ + my $now=localtime; + &General::readhasharray($confighosts,%hosts); + &General::readhasharray($confignets,%nets); + &General::readhasharray($configgroups,%groups); + &General::readhasharray($ovpnconfig,%configovpn); + &General::readhasharray($ccdconfig,%ccdconf); + &General::readhash($ovpnsettings,%settingsovpn); + #get ovpn nets + my @ovpnnets=(); + if($settingsovpn{'DOVPN_SUBNET'}){ + my ($net,$subnet)=split("/",$settingsovpn{'DOVPN_SUBNET'}); + push (@ovpnnets,"$net,$subnet,dynamic"); + print LOG "$now ->found dynamic OpenVPN net\n"; + } + foreach my $key (sort keys %ccdconf){ + my ($net,$subnet)=split("/",$ccdconf{$key}[1]); + $subnet=&General::iporsubtodec($subnet); + push (@ovpnnets,"$net,$subnet,$ccdconf{$key}[0]"); + print LOG "$now ->found OpenVPN static net $net/$subnet\n"; + } + foreach my $key (sort keys %configovpn){ + if ($configovpn{$key}[3] eq 'net'){ + my ($net,$subnet)=split("/",$configovpn{$key}[27]); + push (@ovpnnets,"$net,$subnet,$configovpn{$key}[2]"); + print LOG "$now ->found OpenVPN $net/$subnet $configovpn{$key}[2]\n"; + } + } + #add ovpn nets to customnetworks/groups + foreach my $line (@ovpnnets){ + my $now=localtime; + my ($net,$subnet,$name) = split(",",$line); + if (!&check_net($net,$subnet)){ + my $netkey = &General::findhasharraykey(%nets); + $name2=$name."(ovpn)".$net; + $name3="Custom Network"; + $nets{$netkey}[0] = $name2; + $nets{$netkey}[1] = $net; + $nets{$netkey}[2] = $subnet; + $nets{$netkey}[3] = ''; + $nets{$netkey}[4] = 1; + print LOG "$now ->added $name2 $net/$subnet to customnetworks\n"; + }else{ + print LOG "-> Custom Network with same IP already exist "$net/$subnet" (you can ignore this, if this run was manual from shell)\n"; + } + if($name2){ + my $grpkey = &General::findhasharraykey(%groups); + $groups{$grpkey}[0] = "ovpn"; + $groups{$grpkey}[1] = ''; + $groups{$grpkey}[2] = $name2; + $groups{$grpkey}[3] = "Custom Network"; + $groups{$grpkey}[4] = 0; + print LOG "$now ->added $name2 to customgroup ovpn\n"; + } + $name2=''; + } + @ovpnnets=(); + &General::writehasharray($confighosts,%hosts); + &General::writehasharray($configgroups,%groups); + &General::writehasharray($confignets,%nets); + print LOG "$now ->finished OVPN\n"; +} +sub process_p2p +{ + copy("/var/ipfire/outgoing/p2protocols","/var/ipfire/firewall/p2protocols"); + chmod oct('0777'), '/var/ipfire/firewall/p2protocols'; +} diff --git a/config/firewall/convert-portfw b/config/firewall/convert-portfw new file mode 100755 index 0000000..f6ddd25 --- /dev/null +++ b/config/firewall/convert-portfw @@ -0,0 +1,158 @@ +#!/usr/bin/perl +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2013 Alexander Marx amarx@ipfire.org # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +############################################################################### +# # +# This script converts old portforwarding rules from old Firewall # +# to the new one. This is a 3-step process. # +# STEP1: read old config and normalize settings # +# STEP2: create new rules from old ones # +# STEP3: check if rule already exists, when not, put it into # +# /var/ipfire/firewall/config # +############################################################################### +require '/var/ipfire/general-functions.pl'; +my @values=(); +my @built_rules=(); +my %nat=(); +my $portfwconfig = "${General::swroot}/portfw/config"; +my $confignat = "${General::swroot}/firewall/config"; +my ($key,$flag,$prot,$ipfireport,$target,$targetport,$active,$alias,$source,$remark); +my ($key1,$flag1,$prot1,$ipfireport1,$target1,$targetport1,$active1,$alias1,$source1,$remark1); +my $count=0; +my $jump; +if(! -d "/var/log/converters"){ mkdir("/var/log/converters");} +open(FILE, $portfwconfig) or die 'Unable to open config file.'; +my @current = <FILE>; +close(FILE); +open (LOG, ">/var/log/converters/portfw-convert.log") or die $!; +open(ALIAS, "${General::swroot}/ethernet/aliases") or die 'Unable to open aliases file.'; +my @alias = <ALIAS>; +close(ALIAS); +&get_config; +&build_rules; +&write_rules; +sub get_config +{ + print LOG "STEP 1: Get config from old portforward\n#########################################\n"; + foreach my $line (@current){ + if($jump eq '1'){ + $jump=''; + $count++; + next; + } + my $u=$count+1; + ($key,$flag,$prot,$ipfireport,$target,$targetport,$active,$alias,$source,$remark) = split(",",$line); + ($key1,$flag1,$prot1,$ipfireport1,$target1,$targetport1,$active1,$alias1,$source1,$remark1) = split(",",$current[$u]); + if ($flag1 eq '1'){ + $source=$source1; + $jump='1'; + } + my $now=localtime; + chomp($remark); + print LOG "$now processing-> KEY: $key FLAG: $flag PROT: $prot FIREPORT: $ipfireport TARGET: $target TGTPORT: $targetport ACTIVE: $active ALIAS: $alias SOURCE: $source REM: $remark Doublerule: $jump\n"; + push (@values,$prot.",".$ipfireport.",".$target.",".$targetport.",".$active.",".$alias.",".$source.",".$remark); + $count++; + } +} +sub build_rules +{ + print LOG "\nSTEP 2: Convert old portforwardrules in a useable format\n########################################################\n"; + my $src; + my $src1; + my $ipfireip; + my $count=0; + my $stop; + #build rules for new firewall + foreach my $line (@values){ + chomp ($line); + ($prot,$ipfireport,$target,$targetport,$active,$alias,$source,$remark)=split(",",$line); + $count++; + #get sourcepart + if($source eq '0.0.0.0/0'){ + $src = 'std_net_src'; + $src1 = 'ALL'; + }else{ + $src = 'src_addr'; + my ($a,$b) = split("/",$source); + $src1 = $a."/32"; + } + #get ipfire ip + if($alias eq '0.0.0.0'){ + $alias='ALL'; + }else{ + foreach my $ali (@alias){ + my ($alias_ip,$alias_active,$alias_name) = split (",",$ali); + if($alias eq $alias_ip){ + chomp($alias_name); + $alias=$alias_name; + } + } + } + $active = uc $active; + $prot = uc $prot; + chomp($remark); + push (@built_rules,"ACCEPT,FORWARDFW,$active,$src,$src1,tgt_addr,$target/32,ON,$prot,,TGT_PORT,$targetport,$remark,00:00,00:00,ON,$alias,$ipfireport,dnat"); + my $now=localtime; + print LOG "$now Converted-> KEY: $count ACCEPT,FORWARDFW,$active,$src,$src1,tgt_addr,$target/32,ON,$prot,,TGT_PORT,$targetport,$remark,00:00,00:00,ON,$alias,$ipfireport,dnat\n"; + } +} +sub write_rules +{ + my $skip=''; + my $id; + print LOG "\nSTEP 3: Create DNAT rules in new firewall\n#########################################\n"; + &General::readhasharray($confignat,%nat); + foreach my $line (@built_rules){ + $skip=''; + my ($action,$chain,$active,$src,$src1,$tgt,$tgt1,$use_prot,$prot,$dummy,$tgt_port,$tgt_port1,$remark,$from,$to,$use_port,$alias,$ipfireport,$dnat) = split (",",$line); + foreach my $key (sort keys %nat){ + if ($line eq "$nat{$key}[0],$nat{$key}[1],$nat{$key}[2],$nat{$key}[3],$nat{$key}[4],$nat{$key}[5],$nat{$key}[6],$nat{$key}[11],$nat{$key}[12],$nat{$key}[13],$nat{$key}[14],$nat{$key}[15],$nat{$key}[16],$nat{$key}[26],$nat{$key}[27],$nat{$key}[28],$nat{$key}[29],$nat{$key}[30],$nat{$key}[31]"){ + my $now=localtime; + print LOG "$now SKIP-> Rule $nat{$key}[0],$nat{$key}[1],$nat{$key}[2],$nat{$key}[3],$nat{$key}[4],$nat{$key}[5],$nat{$key}[6],$nat{$key}[11],$nat{$key}[12],$nat{$key}[13],$nat{$key}[14],$nat{$key}[15],$nat{$key}[16],$nat{$key}[26],$nat{$key}[27],$nat{$key}[28],$nat{$key}[29],$nat{$key}[30],$nat{$key}[31] ->EXISTS\n"; + $skip='1'; + } + } + if ($skip ne '1'){ + $id = &General::findhasharraykey(%nat); + $nat{$id}[0] = $action; + $nat{$id}[1] = $chain; + $nat{$id}[2] = $active; + $nat{$id}[3] = $src; + $nat{$id}[4] = $src1; + $nat{$id}[5] = $tgt; + $nat{$id}[6] = $tgt1; + $nat{$id}[11] = $use_prot; + $nat{$id}[12] = $prot; + $nat{$id}[13] = $dummy; + $nat{$id}[14] = $tgt_port; + $nat{$id}[15] = $tgt_port1; + $nat{$id}[16] = $remark; + $nat{$id}[26] = $from; + $nat{$id}[27] = $to; + $nat{$id}[28] = $use_port; + $nat{$id}[29] = $alias; + $nat{$id}[30] = $ipfireport; + $nat{$id}[31] = $dnat; + my $now=localtime; + print LOG "$now NEW RULE-> Rule $nat{$id}[0],$nat{$id}[1],$nat{$id}[2],$nat{$id}[3],$nat{$id}[4],$nat{$id}[5],$nat{$id}[6],$nat{$id}[11],$nat{$id}[12],$nat{$id}[13],$nat{$id}[14],$nat{$id}[15],$nat{$id}[16],$nat{$id}[26],$nat{$id}[27],$nat{$id}[28],$nat{$id}[29],$nat{$id}[30],$nat{$id}[31]\n"; + } + } + &General::writehasharray($confignat,%nat); +} +close (LOG); diff --git a/config/firewall/convert-xtaccess b/config/firewall/convert-xtaccess new file mode 100755 index 0000000..e04ab6d --- /dev/null +++ b/config/firewall/convert-xtaccess @@ -0,0 +1,141 @@ +#!/usr/bin/perl +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2013 Alexander Marx amarx@ipfire.org # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +############################################################################### +# # +#This script converts old xtaccess rules to new firewall # +#Logfiles are created under /var/log/converters # +# # +############################################################################### +my @current=(); +my @alias=(); +my %configinputfw=(); +require '/var/ipfire/general-functions.pl'; +my $xtaccessconfig = "${General::swroot}/xtaccess/config"; +my $inputfwconfig = "${General::swroot}/firewall/input"; +my $aliasconfig = "${General::swroot}/ethernet/aliases"; +my $field0='ACCEPT'; +my $field1='INPUTFW'; +my $field2=''; #ON or emtpy +my $field3=''; #std_net_src or src_addr +my $field4=''; #ALL or IP-Address with /32 +my $field5='ipfire'; +my $field6=''; #Default IP or alias name +my $field11='ON'; #use target port +my $field12=''; #TCP or UDP +my $field13='All ICMP-Types'; +my $field14='TGT_PORT'; +my $field15=''; #Port Number +my $field16=''; #remark +my $field26='00:00'; +my $field27='00:00'; +my $field28 = ''; +my $field29 = 'ALL'; +my $field30 = ''; +my $field31 = 'dnat'; +open(FILE, $xtaccessconfig) or die 'Unable to open config file.'; +my @current = <FILE>; +close(FILE); +open(FILE1, $aliasconfig) or die 'Unable to open config file.'; +my @alias = <FILE1>; +close(FILE1); +&General::readhasharray($inputfwconfig,%configinputfw); + +foreach my $line (@current){ + my ($a,$b,$c,$d,$e,$f) = split (",",$line); + $e =~ s/\R//g; + if ($f gt ''){ + $f =~ s/\R//g; + $field16=$f; + } + #active or not + $field2=uc($d); + #get protocol + if ($a eq 'tcp'){ $field12 ='TCP';}else{$field12='UDP';} + #check source address + if ($b eq '0.0.0.0/0'){ + $field3='std_net_src'; + $field4='ALL'; + }elsif($b =~/^(\d{1,3}).(\d{1,3}).(\d{1,3}).(\d{1,3})$/){ + $field3='src_addr'; + $field4=$b."/32"; + }elsif ($b =~ /^(.*?)/(.*?)$/) { + $field3='src_addr'; + $field4=$b; + }else{ + print "Regel konnte nicht konvertiert werden!\n"; + } + #check ipfire address + if ($e eq '0.0.0.0'){ + $field6 = 'RED1'; + }else{ + foreach my $line (@alias){ + my ($ip,$state,$aliasname) = split (",",$line); + if ($ip eq $e){ + $aliasname =~ s/\R//g; + $field6 = $aliasname; + } + } + } + #get target port + $c=~ s/\R//g; + $c=~ tr/-/:/; + if ($c =~ /^(\D):(\d+)$/) { + $c = "1:$2"; + } + if ($c =~ /^(\d+):(\D)$/) { + $c = "$1:65535"; + } + $field15=$c; + my $key = &General::findhasharraykey (%configinputfw); + foreach my $i (0 .. 31) { $configinputfw{$key}[$i] = "";} + $configinputfw{$key}[0] = $field0; + $configinputfw{$key}[1] = $field1; + $configinputfw{$key}[2] = $field2; + $configinputfw{$key}[3] = $field3; + $configinputfw{$key}[4] = $field4; + $configinputfw{$key}[5] = $field5; + $configinputfw{$key}[6] = $field6; + $configinputfw{$key}[7] = ''; + $configinputfw{$key}[8] = ''; + $configinputfw{$key}[9] = ''; + $configinputfw{$key}[10] = ''; + $configinputfw{$key}[11] = $field11; + $configinputfw{$key}[12] = $field12; + $configinputfw{$key}[13] = $field13; + $configinputfw{$key}[14] = $field14; + $configinputfw{$key}[15] = $field15; + $configinputfw{$key}[16] = $field16; + $configinputfw{$key}[17] = ''; + $configinputfw{$key}[18] = ''; + $configinputfw{$key}[19] = ''; + $configinputfw{$key}[20] = ''; + $configinputfw{$key}[21] = ''; + $configinputfw{$key}[22] = ''; + $configinputfw{$key}[23] = ''; + $configinputfw{$key}[24] = ''; + $configinputfw{$key}[25] = ''; + $configinputfw{$key}[26] = $field26; + $configinputfw{$key}[27] = $field27; + $configinputfw{$key}[28] = $field28; + $configinputfw{$key}[29] = $field29; + $configinputfw{$key}[30] = $field30; + $configinputfw{$key}[31] = $field31; + &General::writehasharray($inputfwconfig,%configinputfw); +} diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl new file mode 100755 index 0000000..f1e8403 --- /dev/null +++ b/config/firewall/firewall-lib.pl @@ -0,0 +1,256 @@ +#!/usr/bin/perl +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2013 Alexander Marx amarx@ipfire.org # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +############################################################################### + +use strict; +no warnings 'uninitialized'; + +package fwlib; + +my %customnetwork=(); +my %customhost=(); +my %customgrp=(); +my %customservice=(); +my %customservicegrp=(); +my %ccdnet=(); +my %ccdhost=(); +my %ipsecconf=(); +my %ipsecsettings=(); +my %netsettings=(); +my %ovpnsettings=(); + +require '/var/ipfire/general-functions.pl'; + +my $confignet = "${General::swroot}/fwhosts/customnetworks"; +my $confighost = "${General::swroot}/fwhosts/customhosts"; +my $configgrp = "${General::swroot}/fwhosts/customgroups"; +my $configsrv = "${General::swroot}/fwhosts/customservices"; +my $configsrvgrp = "${General::swroot}/fwhosts/customservicegrp"; +my $configccdnet = "${General::swroot}/ovpn/ccd.conf"; +my $configccdhost = "${General::swroot}/ovpn/ovpnconfig"; +my $configipsec = "${General::swroot}/vpn/config"; +my $configovpn = "${General::swroot}/ovpn/settings"; +my $val; +my $field; + +&General::readhash("/var/ipfire/ethernet/settings", %netsettings); +&General::readhash("${General::swroot}/ovpn/settings", %ovpnsettings); +&General::readhash("${General::swroot}/vpn/settings", %ipsecsettings); + + +&General::readhasharray("$confignet", %customnetwork); +&General::readhasharray("$confighost", %customhost); +&General::readhasharray("$configgrp", %customgrp); +&General::readhasharray("$configccdnet", %ccdnet); +&General::readhasharray("$configccdhost", %ccdhost); +&General::readhasharray("$configipsec", %ipsecconf); +&General::readhasharray("$configsrv", %customservice); +&General::readhasharray("$configsrvgrp", %customservicegrp); + +sub get_srv_prot +{ + my $val=shift; + foreach my $key (sort {$a <=> $b} keys %customservice){ + if($customservice{$key}[0] eq $val){ + if ($customservice{$key}[0] eq $val){ + return $customservice{$key}[2]; + } + } + } +} +sub get_srvgrp_prot +{ + my $val=shift; + my @ips=(); + my $tcp; + my $udp; + my $icmp; + foreach my $key (sort {$a <=> $b} keys %customservicegrp){ + if($customservicegrp{$key}[0] eq $val){ + if (&get_srv_prot($customservicegrp{$key}[2]) eq 'TCP'){ + $tcp=1; + }elsif(&get_srv_prot($customservicegrp{$key}[2]) eq 'UDP'){ + $udp=1; + }elsif(&get_srv_prot($customservicegrp{$key}[2]) eq 'ICMP'){ + $icmp=1; + } + } + } + if ($tcp eq '1'){push (@ips,'TCP');} + if ($udp eq '1'){push (@ips,'UDP');} + if ($icmp eq '1'){push (@ips,'ICMP');} + my $back=join(",",@ips); + return $back; + +} + + +sub get_srv_port +{ + my $val=shift; + my $field=shift; + my $prot=shift; + foreach my $key (sort {$a <=> $b} keys %customservice){ + if($customservice{$key}[0] eq $val){ + if($customservice{$key}[2] eq $prot){ + return $customservice{$key}[$field]; + } + } + } +} +sub get_srvgrp_port +{ + my $val=shift; + my $prot=shift; + my $back; + my $value; + my @ips=(); + foreach my $key (sort {$a <=> $b} keys %customservicegrp){ + if($customservicegrp{$key}[0] eq $val){ + if ($prot ne 'ICMP'){ + $value=&get_srv_port($customservicegrp{$key}[2],1,$prot); + }elsif ($prot eq 'ICMP'){ + $value=&get_srv_port($customservicegrp{$key}[2],3,$prot); + } + push (@ips,$value) if ($value ne '') ; + } + } + if($prot ne 'ICMP'){ + if ($#ips gt 0){$back="-m multiport --dports ";}else{$back="--dport ";} + }elsif ($prot eq 'ICMP'){ + $back="--icmp-type "; + } + + $back.=join(",",@ips); + return $back; +} +sub get_ipsec_net_ip +{ + my $val=shift; + my $field=shift; + foreach my $key (sort {$a <=> $b} keys %ipsecconf){ + if($ipsecconf{$key}[1] eq $val){ + return $ipsecconf{$key}[$field]; + } + } +} +sub get_ipsec_host_ip +{ + my $val=shift; + my $field=shift; + foreach my $key (sort {$a <=> $b} keys %ipsecconf){ + if($ipsecconf{$key}[1] eq $val){ + return $ipsecconf{$key}[$field]; + } + } +} +sub get_ovpn_n2n_ip +{ + my $val=shift; + my $field=shift; + foreach my $key (sort {$a <=> $b} keys %ccdhost){ + if($ccdhost{$key}[1] eq $val){ + return $ccdhost{$key}[$field]; + } + } +} +sub get_ovpn_host_ip +{ + my $val=shift; + my $field=shift; + foreach my $key (sort {$a <=> $b} keys %ccdhost){ + if($ccdhost{$key}[1] eq $val){ + return $ccdhost{$key}[$field]; + } + } +} +sub get_ovpn_net_ip +{ + + my $val=shift; + my $field=shift; + foreach my $key (sort {$a <=> $b} keys %ccdnet){ + if($ccdnet{$key}[0] eq $val){ + return $ccdnet{$key}[$field]; + } + } +} +sub get_grp_ip +{ + my $val=shift; + my $src=shift; + foreach my $key (sort {$a <=> $b} keys %customgrp){ + if ($customgrp{$key}[0] eq $val){ + &get_address($customgrp{$key}[3],$src); + } + } + +} +sub get_std_net_ip +{ + my $val=shift; + my $con=shift; + if ($val eq 'ALL'){ + return "0.0.0.0/0.0.0.0"; + }elsif($val eq 'GREEN'){ + return "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"; + }elsif($val eq 'ORANGE'){ + return "$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}"; + }elsif($val eq 'BLUE'){ + return "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}"; + }elsif($val eq 'RED'){ + return "0.0.0.0/0 -o $con"; + }elsif($val =~ /OpenVPN/i){ + return "$ovpnsettings{'DOVPN_SUBNET'}"; + }elsif($val =~ /IPsec/i){ + return "$ipsecsettings{'RW_NET'}"; + }elsif($val eq 'IPFire'){ + return ; + } +} +sub get_net_ip +{ + my $val=shift; + foreach my $key (sort {$a <=> $b} keys %customnetwork){ + if($customnetwork{$key}[0] eq $val){ + return "$customnetwork{$key}[1]/$customnetwork{$key}[2]"; + } + } +} +sub get_host_ip +{ + my $val=shift; + my $src=shift; + foreach my $key (sort {$a <=> $b} keys %customhost){ + if($customhost{$key}[0] eq $val){ + if ($customhost{$key}[1] eq 'mac' && $src eq 'src'){ + return "-m mac --mac-source $customhost{$key}[2]"; + }elsif($customhost{$key}[1] eq 'ip' && $src eq 'src'){ + return "$customhost{$key}[2]"; + }elsif($customhost{$key}[1] eq 'ip' && $src eq 'tgt'){ + return "$customhost{$key}[2]"; + }elsif($customhost{$key}[1] eq 'mac' && $src eq 'tgt'){ + return "none"; + } + } + } +} + +return 1; diff --git a/config/firewall/firewall-policy b/config/firewall/firewall-policy new file mode 100755 index 0000000..6d26d5b --- /dev/null +++ b/config/firewall/firewall-policy @@ -0,0 +1,124 @@ +#!/bin/sh +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2013 Alexander Marx amarx@ipfire.org # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +############################################################################### + +eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) +eval $(/usr/local/bin/readhash /var/ipfire/firewall/settings) +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) + +iptables -F POLICYFWD +iptables -F POLICYOUT +iptables -F POLICYIN + +if [ -f "/var/ipfire/red/iface" ]; then + IFACE="$(</var/ipfire/red/iface)" +fi + +# Figure out what devices are configured. +HAVE_BLUE="false" +HAVE_ORANGE="false" + +case "${CONFIG_TYPE}" in + 2) + HAVE_BLUE="true" + ;; + 3) + HAVE_ORANGE="true" + ;; + 4) + HAVE_BLUE="true" + HAVE_ORANGE="true" + ;; +esac + +# INPUT +case "${FWPOLICY2}" in + REJECT) + if [ "${DROPINPUT}" = "on" ]; then + /sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "REJECT_INPUT" + fi + /sbin/iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_INPUT" + ;; + *) # DROP + if [ "${DROPINPUT}" = "on" ]; then + /sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT" + fi + /sbin/iptables -A POLICYIN -j DROP -m comment --comment "DROP_INPUT" + ;; +esac + +# FORWARD +case "${POLICY}" in + MODE1) + case "${FWPOLICY}" in + REJECT) + if [ "${DROPFORWARD}" = "on" ]; then + /sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD" + fi + /sbin/iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD" + ;; + *) # DROP + if [ "${DROPFORWARD}" = "on" ]; then + /sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD" + fi + /sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD" + ;; + esac + ;; + + *) + if [ -n "${IFACE}" ]; then + if [ "${HAVE_BLUE}" = "true" ] && [ -n "${BLUE_DEV}" ]; then + /sbin/iptables -A POLICYFWD -i "${BLUE_DEV}" ! -o "${IFACE}" -j DROP + fi + if [ "${HAVE_ORANGE}" = "true" ] && [ -n "${ORANGE_DEV}" ]; then + /sbin/iptables -A POLICYFWD -i "${ORANGE_DEV}" ! -o "${IFACE}" -j DROP + fi + fi + /sbin/iptables -A POLICYFWD -j ACCEPT + /sbin/iptables -A POLICYFWD -m comment --comment "DROP_FORWARD" -j DROP + ;; +esac + +# OUTGOING +case "${POLICY1}" in + MODE1) + case "${FWPOLICY1}" in + REJECT) + if [ "${DROPOUTGOING}" = "on" ]; then + /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT" + fi + /sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT" + ;; + *) # DROP + if [ "${DROPOUTGOING}" == "on" ]; then + /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT" + fi + /sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT" + ;; + esac + ;; + *) + /sbin/iptables -A POLICYOUT -j ACCEPT + /sbin/iptables -A POLICYOUT -m comment --comment "DROP_OUTPUT" -j DROP + ;; +esac + +exit 0 diff --git a/config/firewall/p2protocols b/config/firewall/p2protocols new file mode 100644 index 0000000..7000581 --- /dev/null +++ b/config/firewall/p2protocols @@ -0,0 +1,9 @@ +Applejuice;apple;off; +Ares;ares;off; +Bittorrent;bit;off; +DirectConnect;dc;off; +Edonkey;edk;off; +Gnutella;gnu;off; +KaZaA;kazaa;off; +SoulSeek;soul;off; +WinMX;winmx;off; diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl new file mode 100755 index 0000000..c724aa8 --- /dev/null +++ b/config/firewall/rules.pl @@ -0,0 +1,635 @@ +#!/usr/bin/perl +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2013 Alexander Marx amarx@ipfire.org # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +############################################################################### + +use strict; +use Time::Local; +no warnings 'uninitialized'; + +# enable only the following on debugging purpose +#use warnings; +#use CGI::Carp 'fatalsToBrowser'; + +my %fwdfwsettings=(); +my %defaultNetworks=(); +my %configfwdfw=(); +my %color=(); +my %icmptypes=(); +my %ovpnSettings=(); +my %customgrp=(); +our %sourcehash=(); +our %targethash=(); +my @timeframe=(); +my %configinputfw=(); +my %configoutgoingfw=(); +my %confignatfw=(); +my %aliases=(); +my @DPROT=(); +my @p2ps=(); +require '/var/ipfire/general-functions.pl'; +require "${General::swroot}/lang.pl"; +require "${General::swroot}/firewall/bin/firewall-lib.pl"; + +my $configfwdfw = "${General::swroot}/firewall/config"; +my $configinput = "${General::swroot}/firewall/input"; +my $configoutgoing = "${General::swroot}/firewall/outgoing"; +my $p2pfile = "${General::swroot}/firewall/p2protocols"; +my $configgrp = "${General::swroot}/fwhosts/customgroups"; +my $netsettings = "${General::swroot}/ethernet/settings"; +my $errormessage = ''; +my $orange = ''; +my $green = ''; +my $blue = ''; +my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT); +my $CHAIN = "FORWARDFW"; +my $conexists = 'off'; +my $command = 'iptables -A'; +my $dnat =''; +my $snat =''; + +&General::readhash("${General::swroot}/firewall/settings", %fwdfwsettings); +&General::readhash("$netsettings", %defaultNetworks); +&General::readhasharray($configfwdfw, %configfwdfw); +&General::readhasharray($configinput, %configinputfw); +&General::readhasharray($configoutgoing, %configoutgoingfw); +&General::readhasharray($configgrp, %customgrp); +&General::get_aliases(%aliases); + +#check if we have an internetconnection +open (CONN,"/var/ipfire/red/iface"); +my $con = <CONN>; +close(CONN); +if (-f "/var/ipfire/red/active"){ + $conexists='on'; +} +open (CONN1,"/var/ipfire/red/local-ipaddress"); +my $redip = <CONN1>; +close(CONN1); +################# +# DEBUG/TEST # +################# +my $MODE=0; # 0 - normal operation + # 1 - print configline and rules to console + # +################# +my $param=shift; + +if($param eq 'flush'){ + if ($MODE eq '1'){ + print " Flushing chains...\n"; + } + &flush; +}else{ + if ($MODE eq '1'){ + print " Flushing chains...\n"; + } + &flush; + if ($MODE eq '1'){ + print " Preparing rules...\n"; + } + &preparerules; + if($MODE eq '0'){ + if ($fwdfwsettings{'POLICY'} eq 'MODE1'){ + &p2pblock; + system ("/usr/sbin/firewall-policy"); + }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){ + &p2pblock; + system ("iptables -A $CHAIN -m conntrack --ctstate NEW -j ACCEPT"); + system ("/usr/sbin/firewall-policy"); + system ("/etc/sysconfig/firewall.local reload"); + } + } +} +sub flush +{ + system ("iptables -F FORWARDFW"); + system ("iptables -F INPUTFW"); + system ("iptables -F OUTGOINGFW"); + system ("iptables -t nat -F NAT_DESTINATION"); + system ("iptables -t nat -F NAT_SOURCE"); +} +sub preparerules +{ + if (! -z "${General::swroot}/firewall/config"){ + &buildrules(%configfwdfw); + } + if (! -z "${General::swroot}/firewall/input"){ + &buildrules(%configinputfw); + } + if (! -z "${General::swroot}/firewall/outgoing"){ + &buildrules(%configoutgoingfw); + } +} +sub buildrules +{ + my $hash=shift; + my $STAG; + my $natip; + my $snatport; + my $fireport; + my $nat; + my $fwaccessdport; + my $natchain; + my $icmptype; + foreach my $key (sort {$a <=> $b} keys %$hash){ + next if (($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1') && $conexists eq 'off' ); + $command="iptables -A"; + if ($$hash{$key}[28] eq 'ON'){ + $command='iptables -t nat -A'; + $natip=&get_nat_ip($$hash{$key}[29],$$hash{$key}[31]); + if($$hash{$key}[31] eq 'dnat'){ + $nat='DNAT'; + if ($$hash{$key}[30] =~ /|/){ + $$hash{$key}[30]=~ tr/|/,/; + $fireport='-m multiport --dport '.$$hash{$key}[30]; + }else{ + $fireport='--dport '.$$hash{$key}[30] if ($$hash{$key}[30]>0); + } + }else{ + $nat='SNAT'; + } + } + $STAG=''; + if($$hash{$key}[2] eq 'ON'){ + #get source ip's + if ($$hash{$key}[3] eq 'cust_grp_src'){ + foreach my $grp (sort {$a <=> $b} keys %customgrp){ + if($customgrp{$grp}[0] eq $$hash{$key}[4]){ + &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"src"); + } + } + }else{ + &get_address($$hash{$key}[3],$$hash{$key}[4],"src"); + } + #get target ip's + if ($$hash{$key}[5] eq 'cust_grp_tgt'){ + foreach my $grp (sort {$a <=> $b} keys %customgrp){ + if($customgrp{$grp}[0] eq $$hash{$key}[6]){ + &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"tgt"); + } + } + }elsif($$hash{$key}[5] eq 'ipfire' ){ + if($$hash{$key}[6] eq 'GREEN'){ + $targethash{$key}[0]=$defaultNetworks{'GREEN_ADDRESS'}; + } + if($$hash{$key}[6] eq 'BLUE'){ + $targethash{$key}[0]=$defaultNetworks{'BLUE_ADDRESS'}; + } + if($$hash{$key}[6] eq 'ORANGE'){ + $targethash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'}; + } + if($$hash{$key}[6] eq 'ALL'){ + $targethash{$key}[0]='0.0.0.0/0'; + } + if($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1'){ + open(FILE, "/var/ipfire/red/local-ipaddress")or die "Couldn't open local-ipaddress"; + $targethash{$key}[0]= <FILE>; + close(FILE); + }else{ + foreach my $alias (sort keys %aliases){ + if ($$hash{$key}[6] eq $alias){ + $targethash{$key}[0]=$aliases{$alias}{'IPT'}; + } + } + } + }else{ + &get_address($$hash{$key}[5],$$hash{$key}[6],"tgt"); + } + ##get source prot and port + $SRC_TGT='SRC'; + $SPORT = &get_port($hash,$key); + $SRC_TGT=''; + + ##get target prot and port + $DPROT=&get_prot($hash,$key); + + if ($DPROT eq ''){$DPROT=' ';} + @DPROT=split(",",$DPROT); + + #get time if defined + if($$hash{$key}[18] eq 'ON'){ + my ($time1,$time2,$daylight); + my $daylight=$$hash{$key}[28]; + $time1=&get_time($$hash{$key}[26],$daylight); + $time2=&get_time($$hash{$key}[27],$daylight); + if($$hash{$key}[19] ne ''){push (@timeframe,"Mon");} + if($$hash{$key}[20] ne ''){push (@timeframe,"Tue");} + if($$hash{$key}[21] ne ''){push (@timeframe,"Wed");} + if($$hash{$key}[22] ne ''){push (@timeframe,"Thu");} + if($$hash{$key}[23] ne ''){push (@timeframe,"Fri");} + if($$hash{$key}[24] ne ''){push (@timeframe,"Sat");} + if($$hash{$key}[25] ne ''){push (@timeframe,"Sun");} + $TIME=join(",",@timeframe); + + $TIMEFROM="--timestart $time1 "; + $TIMETILL="--timestop $time2 "; + $TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL"; + } + if ($MODE eq '1'){ + print "NR:$key "; + foreach my $i (0 .. $#{$$hash{$key}}){ + print "$i: $$hash{$key}[$i] "; + } + print "\n"; + print"##################################\n"; + #print rules to console + foreach my $DPROT (@DPROT){ + $DPORT = &get_port($hash,$key,$DPROT); + $PROT=$DPROT; + $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' '); + foreach my $a (sort keys %sourcehash){ + foreach my $b (sort keys %targethash){ + if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){ + if($DPROT ne ''){ + if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";} + if(substr($DPORT, 2, 4) eq 'icmp'){ + my @icmprule= split(",",substr($DPORT, 12,)); + foreach (@icmprule){ + $icmptype="--icmp-type "; + if ($_ eq "BLANK") { + $icmptype=""; + $_=""; + } + if ($$hash{$key}[17] eq 'ON'){ + print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j LOG\n"; + } + print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j $$hash{$key}[0]\n"; + } + }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){ + $natchain='NAT_DESTINATION'; + if ($$hash{$key}[17] eq 'ON'){ + print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n"; + } + my ($ip,$sub) =split("/",$targethash{$b}[0]); + #Process NAT with servicegroup used + if ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[14] eq 'cust_srvgrp'){ + print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip $DPORT\n"; + $fwaccessdport=$DPORT; + }else{ + print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n"; + $DPORT =~ s/-/:/g; + if ($DPORT){ + $fwaccessdport="--dport ".substr($DPORT,1,); + }elsif(! $DPORT && $$hash{$key}[30] ne ''){ + if ($$hash{$key}[30]=~m/|/i){ + $$hash{$key}[30] =~ s/|/,/g; + $fwaccessdport="-m multiport --dport $$hash{$key}[30]"; + }else{ + $fwaccessdport="--dport $$hash{$key}[30]"; + } + } + } + print "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n"; + next; + }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){ + $natchain='NAT_SOURCE'; + print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n"; + } + if ($$hash{$key}[17] eq 'ON' ){ + print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; + } + if ($PROT ne '-p ICMP'){ + print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; + } + if ($PROT eq '-p ICMP' && $$hash{$key}[9] eq 'All ICMP-Types'){ + print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; + } + } + } + } + } + print"\n"; + } + }elsif($MODE eq '0'){ + foreach my $DPROT (@DPROT){ + $DPORT = &get_port($hash,$key,$DPROT); + $PROT=$DPROT; + $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' '); + foreach my $a (sort keys %sourcehash){ + foreach my $b (sort keys %targethash){ + if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){ + if($DPROT ne ''){ + if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";} + #Process ICMP RULE + if(substr($DPORT, 2, 4) eq 'icmp'){ + my @icmprule= split(",",substr($DPORT, 12,)); + foreach (@icmprule){ + $icmptype="--icmp-type "; + if ($_ eq "BLANK") { + $icmptype=""; + $_=""; + } + if ($$hash{$key}[17] eq 'ON'){ + system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j LOG"); + } + system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j $$hash{$key}[0]"); + } + #PROCESS DNAT RULE (Portforward) + }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){ + $natchain='NAT_DESTINATION'; + if ($$hash{$key}[17] eq 'ON'){ + system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n"; + } + my ($ip,$sub) =split("/",$targethash{$b}[0]); + #Process NAT with servicegroup used + if ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[14] eq 'cust_srvgrp'){ + system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip $DPORT\n"; + $fwaccessdport=$DPORT; + }else{ + system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n"; + $DPORT =~ s/-/:/g; + if ($DPORT){ + $fwaccessdport="--dport ".substr($DPORT,1,); + }elsif(! $DPORT && $$hash{$key}[30] ne ''){ + if ($$hash{$key}[30]=~m/|/i){ + $$hash{$key}[30] =~ s/|/,/g; + $fwaccessdport="-m multiport --dport $$hash{$key}[30]"; + }else{ + $fwaccessdport="--dport $$hash{$key}[30]"; + } + } + } + system "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n"; + next; + #PROCESS SNAT RULE + }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){ + $natchain='NAT_SOURCE'; + system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n"; + } + if ($$hash{$key}[17] eq 'ON' && substr($DPORT, 2, 4) ne 'icmp'){ + system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; + } + #PROCESS EVERY OTHER RULE (If NOT ICMP, else the rule would be applied double) + if ($PROT ne '-p ICMP'){ + system "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; + } + #PROCESS Prot ICMP and type = All ICMP-Types + if ($PROT eq '-p ICMP' && $$hash{$key}[9] eq 'All ICMP-Types'){ + system "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; + } + } + } + } + } + } + } + } + %sourcehash=(); + %targethash=(); + undef $TIME; + undef $TIMEFROM; + undef $TIMETILL; + undef $fireport; + } +} +sub get_nat_ip +{ + my $val=shift; + my $type=shift; + my $result; + if($val eq 'RED' || $val eq 'GREEN' || $val eq 'ORANGE' || $val eq 'BLUE'){ + $result=$defaultNetworks{$val.'_ADDRESS'}; + }elsif($val eq 'ALL'){ + $result='-i '.$con; + }elsif($val eq 'Default IP' && $type eq 'dnat'){ + $result='-d '.$redip; + }elsif($val eq 'Default IP' && $type eq 'snat'){ + $result=$redip; + }else{ + foreach my $al (sort keys %aliases){ + if($val eq $al && $type eq 'dnat'){ + $result='-d '.$aliases{$al}{'IPT'}; + }elsif($val eq $al && $type eq 'snat'){ + $result=$aliases{$al}{'IPT'}; + } + } + } + return $result; +} +sub get_time +{ + my $val=shift; + my $val1=shift; + my $time; + my $minutes; + my $ruletime; + $minutes = &utcmin($val); + $ruletime = $minutes + &time_get_utc($val); + if ($ruletime < 0){$ruletime +=1440;} + if ($ruletime > 1440){$ruletime -=1440;} + $time=sprintf "%02d:%02d", $ruletime / 60, $ruletime % 60; + return $time; +} +sub time_get_utc +{ + # Calculates the UTCtime from a given time + my $val=shift; + my @localtime=localtime(time); + my @gmtime=gmtime(time); + my $diff = ($gmtime[2]*60+$gmtime[1]%60)-($localtime[2]*60+$localtime[1]%60); + return $diff; +} +sub utcmin +{ + my $ruletime=shift; + my ($hrs,$min) = split(":",$ruletime); + my $newtime = $hrs*60+$min; + return $newtime; +} +sub p2pblock +{ + my $P2PSTRING; + my $DO; + open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile"; + @p2ps = <FILE>; + close FILE; + my $CMD = "-m ipp2p"; + foreach my $p2pentry (sort @p2ps) { + my @p2pline = split( /;/, $p2pentry ); + if ( $fwdfwsettings{'POLICY'} eq 'MODE1' ) { + $DO = "ACCEPT"; + if ("$p2pline[2]" eq "on") { + $P2PSTRING = "$P2PSTRING --$p2pline[1]"; + } + }else { + $DO = "RETURN"; + if ("$p2pline[2]" eq "off") { + $P2PSTRING = "$P2PSTRING --$p2pline[1]"; + } + } + } + if ($MODE eq 1){ + if($P2PSTRING){ + print"/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO\n"; + } + }else{ + if($P2PSTRING){ + system("/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO"); + } + } +} +sub get_address +{ + my $base=shift; #source of checking ($configfwdfw{$key}[x] or groupkey + my $base2=shift; + my $type=shift; #src or tgt + my $hash; + if ($type eq 'src'){ + $hash=%sourcehash; + }else{ + $hash=%targethash; + } + my $key = &General::findhasharraykey($hash); + if($base eq 'src_addr' || $base eq 'tgt_addr' ){ + if (&General::validmac($base2)){ + $$hash{$key}[0] = "-m mac --mac-source $base2"; + }else{ + $$hash{$key}[0] = $base2; + } + }elsif($base eq 'std_net_src' || $base eq 'std_net_tgt' || $base eq 'Standard Network'){ + $$hash{$key}[0]=&fwlib::get_std_net_ip($base2,$con); + }elsif($base eq 'cust_net_src' || $base eq 'cust_net_tgt' || $base eq 'Custom Network'){ + $$hash{$key}[0]=&fwlib::get_net_ip($base2); + }elsif($base eq 'cust_host_src' || $base eq 'cust_host_tgt' || $base eq 'Custom Host'){ + $$hash{$key}[0]=&fwlib::get_host_ip($base2,$type); + }elsif($base eq 'ovpn_net_src' || $base eq 'ovpn_net_tgt' || $base eq 'OpenVPN static network'){ + $$hash{$key}[0]=&fwlib::get_ovpn_net_ip($base2,1); + }elsif($base eq 'ovpn_host_src' ||$base eq 'ovpn_host_tgt' || $base eq 'OpenVPN static host'){ + $$hash{$key}[0]=&fwlib::get_ovpn_host_ip($base2,33); + }elsif($base eq 'ovpn_n2n_src' ||$base eq 'ovpn_n2n_tgt' || $base eq 'OpenVPN N-2-N'){ + $$hash{$key}[0]=&fwlib::get_ovpn_n2n_ip($base2,11); + }elsif($base eq 'ipsec_net_src' || $base eq 'ipsec_net_tgt' || $base eq 'IpSec Network'){ + $$hash{$key}[0]=&fwlib::get_ipsec_net_ip($base2,11); + }elsif($base eq 'ipfire_src' ){ + if($base2 eq 'GREEN'){ + $$hash{$key}[0]=$defaultNetworks{'GREEN_ADDRESS'}; + } + if($base2 eq 'BLUE'){ + $$hash{$key}[0]=$defaultNetworks{'BLUE_ADDRESS'}; + } + if($base2 eq 'ORANGE'){ + $$hash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'}; + } + if($base2 eq 'ALL'){ + $$hash{$key}[0]='0.0.0.0/0'; + } + if($base2 eq 'RED' || $base2 eq 'RED1'){ + open(FILE, "/var/ipfire/red/local-ipaddress")or die "Couldn't open local-ipaddress"; + $$hash{$key}[0]= <FILE>; + close(FILE); + }else{ + foreach my $alias (sort keys %aliases){ + if ($base2 eq $alias){ + $$hash{$key}[0]=$aliases{$alias}{'IPT'}; + } + } + } + } +} +sub get_prot +{ + my $hash=shift; + my $key=shift; + #check AH,GRE,ESP or ICMP + if ($$hash{$key}[7] ne 'ON' && $$hash{$key}[11] ne 'ON'){ + return "$$hash{$key}[8]"; + } + if ($$hash{$key}[7] eq 'ON' || $$hash{$key}[11] eq 'ON'){ + #check if servicegroup or service + if($$hash{$key}[14] eq 'cust_srv'){ + return &fwlib::get_srv_prot($$hash{$key}[15]); + }elsif($$hash{$key}[14] eq 'cust_srvgrp'){ + return &fwlib::get_srvgrp_prot($$hash{$key}[15]); + }elsif (($$hash{$key}[10] ne '' || $$hash{$key}[15] ne '') && $$hash{$key}[8] eq ''){ #when ports are used and prot set to "all" + return "TCP,UDP"; + }elsif (($$hash{$key}[10] ne '' || $$hash{$key}[15] ne '') && ($$hash{$key}[8] eq 'TCP' || $$hash{$key}[8] eq 'UDP')){ #when ports are used and prot set to "tcp" or "udp" + return "$$hash{$key}[8]"; + }elsif (($$hash{$key}[10] eq '' && $$hash{$key}[15] eq '') && $$hash{$key}[8] ne 'ICMP'){ #when ports are NOT used and prot NOT set to "ICMP" + return "$$hash{$key}[8]"; + }else{ + return "$$hash{$key}[8]"; + } + } + #DNAT + if ($SRC_TGT eq '' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[11] eq '' && $$hash{$key}[12] ne ''){ + return "$$hash{$key}[8]"; + } +} +sub get_port +{ + my $hash=shift; + my $key=shift; + my $prot=shift; + if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){ + if ($$hash{$key}[10] ne ''){ + $$hash{$key}[10] =~ s/|/,/g; + if(index($$hash{$key}[10],",") > 0){ + return "-m multiport --sport $$hash{$key}[10] "; + }else{ + if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ||($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat') ){ + return "--sport $$hash{$key}[10] "; + }else{ + return ":$$hash{$key}[10]"; + } + } + } + }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){ + if($$hash{$key}[14] eq 'TGT_PORT'){ + if ($$hash{$key}[15] ne ''){ + $$hash{$key}[15] =~ s/|/,/g; + if(index($$hash{$key}[15],",") > 0){ + return "-m multiport --dport $$hash{$key}[15] "; + }else{ + if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ){ + return "--dport $$hash{$key}[15] "; + }else{ + $$hash{$key}[15] =~ s/:/-/g; + return ":$$hash{$key}[15]"; + } + } + } + }elsif($$hash{$key}[14] eq 'cust_srv'){ + if ($prot ne 'ICMP'){ + if($$hash{$key}[31] eq 'dnat' && $$hash{$key}[28] eq 'ON'){ + return ":".&fwlib::get_srv_port($$hash{$key}[15],1,$prot); + }else{ + return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot); + } + }elsif($prot eq 'ICMP' && $$hash{$key}[11] eq 'ON'){ #When PROT is ICMP and "use targetport is checked, this is an icmp-service + return "--icmp-type ".&fwlib::get_srv_port($$hash{$key}[15],3,$prot); + } + }elsif($$hash{$key}[14] eq 'cust_srvgrp'){ + if ($prot ne 'ICMP'){ + return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot); + } + elsif($prot eq 'ICMP'){ + return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot); + } + } + } + #CHECK ICMP + if ($$hash{$key}[7] ne 'ON' && $$hash{$key}[11] ne 'ON' && $SRC_TGT eq ''){ + if($$hash{$key}[9] ne '' && $$hash{$key}[9] ne 'All ICMP-Types'){ + return "--icmp-type $$hash{$key}[9] "; + }elsif($$hash{$key}[9] eq 'All ICMP-Types'){ + return; + } + } +} diff --git a/config/forwardfw/convert-dmz b/config/forwardfw/convert-dmz deleted file mode 100755 index efc4386..0000000 --- a/config/forwardfw/convert-dmz +++ /dev/null @@ -1,193 +0,0 @@ -#!/usr/bin/perl - -############################################################################### -# # -# IPFire.org - A linux based firewall # -# Copyright (C) 2013 Alexander Marx amarx@ipfire.org # -# # -# This program is free software: you can redistribute it and/or modify # -# it under the terms of the GNU General Public License as published by # -# the Free Software Foundation, either version 3 of the License, or # -# (at your option) any later version. # -# # -# This program is distributed in the hope that it will be useful, # -# but WITHOUT ANY WARRANTY; without even the implied warranty of # -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # -# GNU General Public License for more details. # -# # -# You should have received a copy of the GNU General Public License # -# along with this program. If not, see http://www.gnu.org/licenses/. # -# # -############################################################################### -# # -# This script converts old dmz holes rules from old firewall # -# to the new one. This is a 2-step process. # -# STEP1: read old config and normalize settings # -# STEP2: check valid ip and save valid rules to new firewall # -# # -############################################################################### -my @current=(); -my @alias=(); -my %configdmz=(); -my %ifaces=(); -my %configfwdfw=(); -require '/var/ipfire/general-functions.pl'; -my $dmzconfig = "${General::swroot}/dmzholes/config"; -my $fwdfwconfig = "${General::swroot}/forward/config"; -my $ifacesettings = "${General::swroot}/ethernet/settings"; -my $field0 = 'ACCEPT'; -my $field1 = 'FORWARDFW'; -my $field2 = ''; #ON or emtpy -my $field3 = ''; #std_net_src or src_addr -my $field4 = ''; #ALL or IP-Address with /32 -my $field5 = ''; #std_net_tgt or tgt_addr -my $field6 = ''; #IP or network name -my $field11 = 'ON'; #use target port -my $field12 = ''; #TCP or UDP -my $field13 = 'All ICMP-Types'; -my $field14 = 'TGT_PORT'; -my $field15 = ''; #Port Number -my $field16 = ''; #remark -my $field26 = '00:00'; -my $field27 = '00:00'; -my $field28 = ''; -my $field29 = 'ALL'; -my $field30 = ''; -my $field31 = 'dnat'; - - -open(FILE, $dmzconfig) or die 'Unable to open config file.'; -my @current = <FILE>; -close(FILE); -#open LOGFILE -open (LOG, ">/var/log/converters/dmz-convert.log") or die $!; -&General::readhash($ifacesettings, %ifaces); -&General::readhasharray($fwdfwconfig,%configfwdfw); -&process_rules; -sub process_rules{ - foreach my $line (@current){ - my $now=localtime; - #get values from old configfile - my ($a,$b,$c,$d,$e,$f,$g,$h) = split (",",$line); - $h =~ s/\s*\n//gi; - print LOG "$now Processing A: $a B: $b C: $c D: $d E: $e F: $f G: $g H: $h\n"; - #Now convert values and check ip addresses - $a=uc($a); - $e=uc($e); - $field2=$e if($e eq 'ON'); - #SOURCE IP-check - $b=&check_ip($b); - if (&General::validipandmask($b)){ - #When ip valid, check if we have a network - my ($ip,$subnet) = split ("/",$b); - if ($f eq 'orange' && $ip eq $ifaces{'ORANGE_NETADDRESS'}){ - $field3='std_net_src'; - $field4='ORANGE'; - }elsif($f eq 'blue' && $ip eq $ifaces{'BLUE_NETADDRESS'}){ - $field3='std_net_src'; - $field4='BLUE'; - }elsif($f eq 'orange' && &General::IpInSubnet($ip,$ifaces{'ORANGE_NETADDRESS'},$ifaces{'ORANGE_NETMASK'})){ - $field3='src_addr'; - $field4=$b; - }elsif($f eq 'blue' && &General::IpInSubnet($ip,$ifaces{'BLUE_NETADDRESS'},$ifaces{'BLUE_NETMASK'})){ - $field3='src_addr'; - $field4=$b; - }else{ - print LOG "$now ->NOT Converted, source ip $b not part of source network $f \n\n"; - next; - } - }else{ - print LOG "$now -> SOURCE IP INVALID. \n\n"; - next; - } - #TARGET IP-check - $c=&check_ip($c); - if (&General::validipandmask($c)){ - my $now=localtime; - #When ip valid, check if we have a network - my ($ip,$subnet) = split ("/",$c); - if ($g eq 'green' && $ip eq $ifaces{'GREEN_NETADDRESS'}){ - $field5='std_net_tgt'; - $field6='GREEN'; - }elsif($g eq 'blue' && $ip eq $ifaces{'BLUE_NETADDRESS'}){ - $field5='std_net_tgt'; - $field6='BLUE'; - }elsif($g eq 'green' && &General::IpInSubnet($ip,$ifaces{'GREEN_NETADDRESS'},$ifaces{'GREEN_NETMASK'})){ - $field5='tgt_addr'; - $field6=$c; - }elsif($g eq 'blue' && &General::IpInSubnet($ip,$ifaces{'BLUE_NETADDRESS'},$ifaces{'BLUE_NETMASK'})){ - $field5='tgt_addr'; - $field6=$c; - }else{ - print LOG "$now ->NOT Converted, target ip $c not part of target network $g \n\n"; - next; - } - }else{ - print LOG "$now -> TARGET IP INVALID. \n\n"; - next; - } - $field12=$a; - #convert portrange - $d =~ tr/-/:/; - $field15=$d; - $field16=$h; - my $key = &General::findhasharraykey (%configfwdfw); - foreach my $i (0 .. 27) { $configfwdfw{$key}[$i] = "";} - $configfwdfw{$key}[0] = $field0; - $configfwdfw{$key}[1] = $field1; - $configfwdfw{$key}[2] = $field2; - $configfwdfw{$key}[3] = $field3; - $configfwdfw{$key}[4] = $field4; - $configfwdfw{$key}[5] = $field5; - $configfwdfw{$key}[6] = $field6; - $configfwdfw{$key}[7] = ''; - $configfwdfw{$key}[8] = ''; - $configfwdfw{$key}[9] = ''; - $configfwdfw{$key}[10] = ''; - $configfwdfw{$key}[11] = $field11; - $configfwdfw{$key}[12] = $field12; - $configfwdfw{$key}[13] = $field13; - $configfwdfw{$key}[14] = $field14; - $configfwdfw{$key}[15] = $field15; - $configfwdfw{$key}[16] = $field16; - $configfwdfw{$key}[17] = ''; - $configfwdfw{$key}[18] = ''; - $configfwdfw{$key}[19] = ''; - $configfwdfw{$key}[20] = ''; - $configfwdfw{$key}[21] = ''; - $configfwdfw{$key}[22] = ''; - $configfwdfw{$key}[23] = ''; - $configfwdfw{$key}[24] = ''; - $configfwdfw{$key}[25] = ''; - $configfwdfw{$key}[26] = $field26; - $configfwdfw{$key}[27] = $field27; - $configfwdfw{$key}[28] = $field28; - $configfwdfw{$key}[29] = $field29; - $configfwdfw{$key}[30] = $field30; - $configfwdfw{$key}[31] = $field31; - print LOG "$Now -> Converted to $field0,$field1,$field2,$field3,$field4,$field5,$field6,,,,,$field11,$field12,$field13,$field14,$field15,$field16,,,,,,,,,,$field26,$field27\n"; - } - &General::writehasharray($fwdfwconfig,%configfwdfw); -close (LOG); -} - -sub check_ip -{ - my $adr=shift; - my $a; - #ip with subnet in decimal - if($adr =~ m/^(\d\d?\d?).(\d\d?\d?).(\d\d?\d?).(\d\d?\d?)/(\d{1,2})$/){ - $adr=int($1).".".int($2).".".int($3).".".int($4); - my $b = &General::iporsubtodec($5); - $a=$adr."/".$b; - }elsif($adr =~ /^(\d{1,3}).(\d{1,3}).(\d{1,3}).(\d{1,3})$/){ - $adr=int($1).".".int($2).".".int($3).".".int($4); - if(&General::validip($adr)){ - $a=$adr."/32"; - } - } - if(&General::validipandmask($adr)){ - $a=&General::iporsubtodec($adr); - } - return $a; -} diff --git a/config/forwardfw/convert-outgoingfw b/config/forwardfw/convert-outgoingfw deleted file mode 100755 index bd33059..0000000 --- a/config/forwardfw/convert-outgoingfw +++ /dev/null @@ -1,704 +0,0 @@ -#!/usr/bin/perl -############################################################################### -# # -# IPFire.org - A linux based firewall # -# Copyright (C) 2013 Alexander Marx amarx@ipfire.org # -# # -# This program is free software: you can redistribute it and/or modify # -# it under the terms of the GNU General Public License as published by # -# the Free Software Foundation, either version 3 of the License, or # -# (at your option) any later version. # -# # -# This program is distributed in the hope that it will be useful, # -# but WITHOUT ANY WARRANTY; without even the implied warranty of # -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # -# GNU General Public License for more details. # -# # -# You should have received a copy of the GNU General Public License # -# along with this program. If not, see http://www.gnu.org/licenses/. # -# # -############################################################################### -# # -# This script converts old groups and firewallrules # -# to the new one. This is a 3-step process. # -# STEP1: convert groups ->LOG /var/log/converters # -# STEP2: convert rules ->LOG /var/log/converters # -# STEP3: convert P2P rules # -# # -############################################################################### - -require '/var/ipfire/general-functions.pl'; - -use Socket; -use File::Path; -use File::Copy; - -my $ipgrouppath = "${General::swroot}/outgoing/groups/ipgroups/"; -my $macgrouppath = "${General::swroot}/outgoing/groups/macgroups/"; -my $outgoingrules = "${General::swroot}/outgoing/rules"; -my $outfwsettings = "${General::swroot}/outgoing/settings"; -my $host = "Converted "; -my $confighosts = "${General::swroot}/fwhosts/customhosts"; -my $confignets = "${General::swroot}/fwhosts/customnetworks"; -my $configgroups = "${General::swroot}/fwhosts/customgroups"; -my $ovpnsettings = "${General::swroot}/ovpn/settings"; -my $ovpnconfig = "${General::swroot}/ovpn/ovpnconfig"; -my $ccdconfig = "${General::swroot}/ovpn/ccd.conf"; -my $fwdfwconfig = "${General::swroot}/forward/config"; -my $outfwconfig = "${General::swroot}/forward/outgoing"; -my $fwdfwsettings = "${General::swroot}/forward/settings"; -my @ipgroups = qx(ls $ipgrouppath); -my @macgroups = qx(ls $macgrouppath); -my @hostarray=(); -my %outsettings=(); -my %hosts=(); -my %nets=(); -my %groups=(); -my %settingsovpn=(); -my %configovpn=(); -my %ccdconf=(); -my %fwconfig=(); -my %fwconfigout=(); -my %fwdsettings=(); -my %ownnet=(); -my %ovpnSettings = (); -&General::readhash("${General::swroot}/ovpn/settings", %ovpnSettings); -&General::readhash($outfwsettings,%outsettings); -&General::readhash("${General::swroot}/ethernet/settings", %ownnet); -#ONLY RUN if /var/ipfire/outgoing exists -if ( -d "/var/ipfire/outgoing"){ - &process_groups; - &process_rules; - &process_p2p; -} -system("/usr/local/bin/forwardfwctrl"); -sub process_groups -{ - if(! -d "/var/log/converters"){ mkdir("/var/log/converters");} - if( -f "/var/log/converters/groups-convert.log"){rmtree("var/log/converters");} - open (LOG, ">/var/log/converters/groups-convert.log") or die $!; - #IP Group processing - foreach my $group (@ipgroups){ - my $now=localtime; - chomp $group; - print LOG "\n$now Processing IP-GROUP: $group...\n"; - open (DATEI, "<$ipgrouppath/$group"); - my @zeilen = <DATEI>; - foreach my $ip (@zeilen){ - chomp($ip); - $ip =~ s/\s//gi; - print LOG "$now Check IP $ip from Group $group "; - my $val=&check_ip($ip); - if($val){ - push(@hostarray,$val.",ip"); - print LOG "$now -> OK\n"; - } - else{ - print LOG "$now -> IP "$ip" from group $group not converted (invalid IP) \n"; - } - $val=''; - } - &new_hostgrp($group,'ip'); - @hostarray=(); - } - $group=''; - @zeilen=(); - @hostarray=(); - #MAC Group processing - foreach my $group (@macgroups){ - chomp $group; - print LOG "\nProcessing MAC-GROUP: $group...\n"; - open (DATEI, "<$macgrouppath/$group"); - my @zeilen = <DATEI>; - foreach my $mac (@zeilen){ - chomp($mac); - $mac =~ s/\s//gi; - print LOG "$now Checking MAC $mac from group $group "; - #MAC checking - if(&General::validmac($mac)){ - $val=$mac; - } - if($val){ - push(@hostarray,$val.",mac"); - print LOG "$now -> OK\n"; - } - else{ - print LOG "$now -> Mac $mac from group $group not converted (invalid MAC)\n"; - } - $val=''; - } - &new_hostgrp($group,'mac'); - @hostarray=(); - @zeilen=(); - } - close (LOG); -} -sub check_ip -{ - my $adr=shift; - my $a; - #ip with subnet in decimal - if($adr =~ m/^(\d\d?\d?).(\d\d?\d?).(\d\d?\d?).(\d\d?\d?)/(\d{1,2})$/){ - $adr=int($1).".".int($2).".".int($3).".".int($4); - my $b = &General::iporsubtodec($5); - $a=$adr."/".$b; - }elsif($adr =~ /^(\d{1,3}).(\d{1,3}).(\d{1,3}).(\d{1,3})$/){ - $adr=int($1).".".int($2).".".int($3).".".int($4); - if(&General::validip($adr)){ - $a=$adr."/255.255.255.255"; - } - } - if(&General::validipandmask($adr)){ - $a=&General::iporsubtodec($adr); - } - return $a; -} -sub new_hostgrp -{ - &General::readhasharray($confighosts,%hosts); - &General::readhasharray($confignets,%nets); - &General::readhasharray($configgroups,%groups); - my $grp=shift; - my $run=shift; - my $name; #"converted" - my $name2; - my $name3; #custom host/custom net - foreach my $adr (@hostarray){ - if($run eq 'ip'){ - my ($ip,$type) = split(",",$adr); - my ($ippart,$subnet) = split("/",$ip); - my ($byte1,$byte2,$byte3,$byte4) = split(/./,$subnet); - if($byte4 eq '255'){ - print LOG "Processing SINGLE HOST $ippart/$subnet from group $grp\n"; - if(!&check_host($ip)){ - my $key = &General::findhasharraykey(%hosts); - $name="host "; - $name2=$name.$ippart; - $name3="Custom Host"; - $hosts{$key}[0] = $name2; - $hosts{$key}[1] = $type; - $hosts{$key}[2] = $ip; - $hosts{$key}[3] = ''; - $hosts{$key}[4] = 1; - print LOG "->Host (IP) $ip added to custom hosts\n" - }else{ - print LOG "->Host (IP) $ip already exists in custom hosts\n"; - $name="host "; - $name2=$name.$ippart; - foreach my $key (sort keys %hosts){ - if($hosts{$key}[0] eq $name2){ - $hosts{$key}[4]++; - } - } - $name="host "; - $name2=$name.$ippart; - $name3="Custom Host"; - } - }elsif($byte4 < '255'){ - print LOG "Processing NETWORK $ippart/$subnet from Group $grp\n"; - if(!&check_net($ippart,$subnet)){ - #Check if this network is one one of IPFire internal networks - if (($ownnet{'GREEN_NETADDRESS'} ne '' && $ownnet{'GREEN_NETADDRESS'} ne '0.0.0.0') && &General::IpInSubnet($ippart,$ownnet{'GREEN_NETADDRESS'},$ownnet{'GREEN_NETMASK'})) - { - $name2='GREEN'; - $name3='Standard Network'; - }elsif (($ownnet{'ORANGE_NETADDRESS'} ne '' && $ownnet{'ORANGE_NETADDRESS'} ne '0.0.0.0') && &General::IpInSubnet($ippart,$ownnet{'ORANGE_NETADDRESS'},$ownnet{'ORANGE_NETMASK'})) - { - $name2='ORANGE'; - $name3='Standard Network'; - }elsif (($ownnet{'BLUE_NETADDRESS'} ne '' && $ownnet{'BLUE_NETADDRESS'} ne '0.0.0.0') && &General::IpInSubnet($ippart,$ownnet{'BLUE_NETADDRESS'},$ownnet{'BLUE_NETMASK'})) - { - $name2='BLUE'; - $name3='Standard Network'; - }elsif ($ippart eq '0.0.0.0') - { - $name2='ALL'; - $name3='Standard Network'; - }elsif(defined($ovpnSettings{'DOVPN_SUBNET'}) && "$ippart/".&General::iporsubtodec($subnet) eq $ovpnSettings{'DOVPN_SUBNET'}) - { - $name2='OpenVPN-Dyn'; - $name3='Standard Network'; - }else{ - my $netkey = &General::findhasharraykey(%nets); - $name="net "; - $name2=$name.$ippart; - $name3="Custom Network"; - $nets{$netkey}[0] = $name2; - $nets{$netkey}[1] = $ippart; - $nets{$netkey}[2] = $subnet; - $nets{$netkey}[3] = ''; - $nets{$netkey}[4] = 1; - print LOG "->Network $ippart/$subnet added to custom networks\n"; - } - }else{ - print LOG "Network $ippart already exists in custom networks\n"; - $name="net "; - $name2=$name.$ippart; - foreach my $key (sort keys %nets){ - if($nets{$key}[0] eq $name2){ - $nets{$key}[4]++; - } - } - $name="net "; - $name2=$name.$ippart; - $name3="Custom Network"; - } - } - if($name2 && !&check_grp($grp,$name2)){ - my $grpkey = &General::findhasharraykey(%groups); - $groups{$grpkey}[0] = $grp; - $groups{$grpkey}[1] = ''; - $groups{$grpkey}[2] = $name2; - $groups{$grpkey}[3] = $name3; - $groups{$grpkey}[4] = 0; - print LOG "->$name2 added to group $grp\n"; - } - }elsif($run eq 'mac'){ - #MACRUN - my ($mac,$type) = split(",",$adr); - print LOG "Processing HOST (MAC) $mac\n"; - if(!&check_host($mac)){ - my $key = &General::findhasharraykey(%hosts); - $name="host "; - $name2=$name.$mac; - $name3="Custom Host"; - $hosts{$key}[0] = $name2; - $hosts{$key}[1] = $type; - $hosts{$key}[2] = $mac; - $hosts{$key}[3] = ''; - $hosts{$key}[4] = 1; - print LOG "->Host (MAC) $mac added to custom hosts\n"; - }else{ - print LOG "->Host (MAC) $mac already exists in custom hosts \n"; - $name="host "; - $name2=$name.$mac; - foreach my $key (sort keys %hosts){ - if($hosts{$key}[0] eq $name2){ - $hosts{$key}[4]++; - } - } - $name="host "; - $name2=$name.$mac; - $name3="Custom Host"; - } - if($name2 && !&check_grp($grp,$name2)){ - my $grpkey = &General::findhasharraykey(%groups); - $groups{$grpkey}[0] = $grp; - $groups{$grpkey}[1] = ''; - $groups{$grpkey}[2] = $name2; - $groups{$grpkey}[3] = $name3; - $groups{$grpkey}[4] = 0; - print LOG "->$name2 added to group $grp\n"; - } - } - } - @hostarray=(); - &General::writehasharray($confighosts,%hosts); - &General::writehasharray($configgroups,%groups); - &General::writehasharray($confignets,%nets); - -} -sub check_host -{ - my $ip=shift; - foreach my $key (sort keys %hosts) - { - if($hosts{$key}[2] eq $ip) - { - return 1; - } - } - return 0; -} -sub check_net -{ - my $ip=shift; - my $sub=shift; - foreach my $key (sort keys %nets) - { - if($nets{$key}[1] eq $ip && $nets{$key}[2] eq $sub) - { - return 1; - } - } - return 0; -} -sub check_grp -{ - my $grp=shift; - my $value=shift; - foreach my $key (sort keys %groups) - { - if($groups{$key}[0] eq $grp && $groups{$key}[2] eq $value) - { - return 1; - } - } - return 0; -} -sub process_rules -{ - my ($type,$action,$active,$grp1,$source,$grp2,$useport,$port,$prot,$grp3,$target,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to); - #open LOG - if( -f "/var/log/converters/outgoingfw-convert.log"){unlink ("/var/log/converters/outgoingfw-convert.log");} - open (LOG, ">/var/log/converters/outgoingfw-convert.log") or die $!; - - &General::readhash($fwdfwsettings,%fwdsettings); - if ($outsettings{'POLICY'} eq 'MODE1'){ - $fwdsettings{'POLICY'}='MODE1'; - $fwdsettings{'POLICY1'}='MODE2'; - $type='ALLOW'; - $action='ACCEPT'; - }else{ - $fwdsettings{'POLICY'}='MODE2'; - $fwdsettings{'POLICY1'}='MODE2'; - $type='DENY'; - $action='DROP'; - } - &General::writehash($fwdfwsettings,%fwdsettings); - open (DATEI, "<$outgoingrules"); - my @lines = <DATEI>; - foreach my $rule (@lines) - { - my $now=localtime; - chomp($rule); - $port=''; - print LOG "$now processing: $rule\n"; - my @configline=(); - @configline = split( /;/, $rule ); - my @prot=(); - if($configline[0] eq $type){ - #some variables we can use from old config - if($configline[1] eq 'on'){ $active='ON';}else{$active='';} - if($configline[3] eq 'all' && $configline[8] ne ''){ - push(@prot,"TCP"); - push(@prot,"UDP"); - }elsif($configline[3] eq 'all' && $configline[8] eq ''){ - push(@prot,""); - }else{ - push(@prot,$configline[3]); - } - if($configline[4] ne ''){ - $configline[4] =~ s/,/;/g; - $remark = $configline[4]; - }else{$remark = '';} - if($configline[9] eq 'Active'){ $log='ON';}else{$log='';} - if($configline[10] eq 'on' && $configline[11] eq 'on' && $configline[12] eq 'on' && $configline[13] eq 'on' && $configline[14] eq 'on' && $configline[15] eq 'on' && $configline[16] eq 'on'){ - if($configline[17] eq '00:00' && $configline[18] eq '00:00'){ - $time=''; - }else{ - $time='ON'; - } - }else{ - $time='ON'; - } - $time_mon=$configline[10]; - $time_tue=$configline[11]; - $time_wed=$configline[12]; - $time_thu=$configline[13]; - $time_fri=$configline[14]; - $time_sat=$configline[15]; - $time_sun=$configline[16]; - $time_from=$configline[17]; - $time_to=$configline[18]; - ############################################################ - #sourcepart - if ($configline[2] eq 'green') { - $grp1='std_net_src'; - $source='GREEN'; - }elsif ($configline[2] eq 'orange') { - $grp1='std_net_src'; - $source='ORANGE'; - }elsif ($configline[2] eq 'red') { - $grp1='std_net_src'; - $source='IPFire'; - &General::readhash($fwdfwsettings,%fwdsettings); - $fwdsettings{'POLICY1'}=$outsettings{'POLICY'}; - $fwdsettings{'POLICY'}=$outsettings{'POLICY'}; - &General::writehash($fwdfwsettings,%fwdsettings); - }elsif ($configline[2] eq 'blue') { - $grp1='std_net_src'; - $source='BLUE'; - }elsif ($configline[2] eq 'ipsec') { - print LOG "$now -> Rule not converted, ipsec+ interface is obsolet since IPFire 2.7 \n"; - next; - }elsif ($configline[2] eq 'ovpn') { - print LOG "$now ->Creating networks/groups for OpenVPN...\n"; - &build_ovpn_grp; - $grp1='cust_grp_src'; - $source='ovpn' - }elsif ($configline[2] eq 'ip') { - my $z=&check_ip($configline[5]); - if($z){ - my ($ipa,$subn) = split("/",$z); - $subn=&General::iporsubtocidr($subn); - $grp1='src_addr'; - $source="$ipa/$subn"; - }else{ - print LOG "$now -> Rule not converted, missing/invalid source ip "$configline[5]"\n"; - next; - } - }elsif ($configline[2] eq 'mac') { - if(&General::validmac($configline[6])){ - $grp1='src_addr'; - $source=$configline[6]; - }else{ - print LOG"$now -> Rule not converted, invalid MAC "$configline[6]" \n"; - next; - } - }elsif ($configline[2] eq 'all') { - $grp1='std_net_src'; - $source='ALL'; - }else{ - foreach my $key (sort keys %groups){ - if($groups{$key}[0] eq $configline[2]){ - $grp1='cust_grp_src'; - $source=$configline[2]; - } - } - if ($grp1 eq '' || $source eq ''){ - print LOG "$now -> Rule not converted, no valid source recognised\n"; - } - } - ############################################################ - #destinationpart - if($configline[7] ne ''){ - my $address=&check_ip($configline[7]); - if($address){ - my ($dip,$dsub) = split("/",$address); - $dsub=&General::iporsubtocidr($dsub); - $grp2='tgt_addr'; - $target="$dip/$dsub"; - }elsif(!$address){ - my $getwebsiteip=&get_ip_from_domain($configline[7]); - if ($getwebsiteip){ - $grp2='tgt_addr'; - $target=$getwebsiteip; - $remark.=" $configline[7]"; - }else{ - print LOG "$now -> Rule not converted, invalid domain "$configline[7]"\n"; - next; - } - } - }else{ - $grp2='std_net_tgt'; - $target='ALL'; - } - if($configline[8] ne '' && $configline[3] ne 'gre' && $configline[3] ne 'esp'){ - my @values=(); - my @parts=split(",",$configline[8]); - foreach (@parts){ - $_=~ tr/-/:/; - if (!($_ =~ /^(\d+):(\d+)$/)) { - if(&General::validport($_)){ - $useport='ON'; - push (@values,$_); - $grp3='TGT_PORT'; - }else{ - print LOG "$now -> Rule not converted, invalid destination Port "$configline[8]"\n"; - next; - } - }else{ - my ($a1,$a2) = split(/:/,$_); - if (&General::validport($a1) && &General::validport($a2) && $a1 < $a2){ - $useport='ON'; - push (@values,"$a1:$a2"); - $grp3='TGT_PORT'; - }else{ - print LOG "$now -> Rule not converted, invalid destination Port "$configline[8]"\n"; - next; - } - } - } - $port=join("|",@values); - @values=(); - @parts=(); - } - }else{ - print LOG "-> Rule not converted because not for Firewall mode $outsettings{'POLICY'} (we are only converting for actual mode)\n"; - } - &General::readhasharray($fwdfwconfig,%fwconfig); - &General::readhasharray($outfwconfig,%fwconfigout); - my $check; - my $chain; - foreach my $protocol (@prot){ - my $now=localtime; - if ($source eq 'IPFire'){ - $chain='OUTGOINGFW'; - }else{ - $chain='FORWARDFW'; - } - $protocol=uc($protocol); - print LOG "$now -> Converted: $action,$chain,$active,$grp1,$source,$grp2,$target,,,,,$useport,$protocol,,$grp3,$port,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to\n"; - #Put rules into system.... - ########################### - #check for double rules - foreach my $key (sort keys %fwconfig){ - if("$action,$chain,$active,$grp1,$source,$grp2,$target,,,,,$useport,$protocol,,$grp3,$port,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to" - eq "$fwconfig{$key}[0],$fwconfig{$key}[1],$fwconfig{$key}[2],$fwconfig{$key}[3],$fwconfig{$key}[4],$fwconfig{$key}[5],$fwconfig{$key}[6],,,,,$fwconfig{$key}[11],$fwconfig{$key}[12],,$fwconfig{$key}[14],$fwconfig{$key}[15],$fwconfig{$key}[16],$fwconfig{$key}[17],$fwconfig{$key}[18],$fwconfig{$key}[19],$fwconfig{$key}[20],$fwconfig{$key}[21],$fwconfig{$key}[22],$fwconfig{$key}[23],$fwconfig{$key}[24],$fwconfig{$key}[25],$fwconfig{$key}[26],$fwconfig{$key}[27]"){ - $check='on'; - next; - } - } - if($check ne 'on'){ - #increase groupcounter - my $check1; - if($grp1 eq 'cust_grp_src'){ - foreach my $key (sort keys %groups){ - if($groups{$key}[0] eq $source){ - $groups{$key}[4]++; - $check1='on'; - } - } - if($check1 eq 'on'){ - &General::writehasharray($configgroups,%groups); - } - } - if ($chain eq 'FORWARDFW'){ - my $key = &General::findhasharraykey(%fwconfig); - $fwconfig{$key}[0] = $action; - $fwconfig{$key}[1] = $chain; - $fwconfig{$key}[2] = $active; - $fwconfig{$key}[3] = $grp1; - $fwconfig{$key}[4] = $source; - $fwconfig{$key}[5] = $grp2; - $fwconfig{$key}[6] = $target; - $fwconfig{$key}[11] = $useport; - $fwconfig{$key}[12] = $protocol; - $fwconfig{$key}[14] = $grp3; - $fwconfig{$key}[15] = $port; - $fwconfig{$key}[16] = $remark; - $fwconfig{$key}[17] = $log; - $fwconfig{$key}[18] = $time; - $fwconfig{$key}[19] = $time_mon; - $fwconfig{$key}[20] = $time_tue; - $fwconfig{$key}[21] = $time_wed; - $fwconfig{$key}[22] = $time_thu; - $fwconfig{$key}[23] = $time_fri; - $fwconfig{$key}[24] = $time_sat; - $fwconfig{$key}[25] = $time_sun; - $fwconfig{$key}[26] = $time_from; - $fwconfig{$key}[27] = $time_to; - $fwconfig{$key}[28] = ''; - $fwconfig{$key}[29] = 'ALL'; - $fwconfig{$key}[30] = ''; - $fwconfig{$key}[31] = 'dnat'; - }else{ - my $key = &General::findhasharraykey(%fwconfigout); - $fwconfigout{$key}[0] = $action; - $fwconfigout{$key}[1] = $chain; - $fwconfigout{$key}[2] = $active; - $fwconfigout{$key}[3] = $grp1; - $fwconfigout{$key}[4] = $source; - $fwconfigout{$key}[5] = $grp2; - $fwconfigout{$key}[6] = $target; - $fwconfigout{$key}[11] = $useport; - $fwconfigout{$key}[12] = $protocol; - $fwconfigout{$key}[14] = $grp3; - $fwconfigout{$key}[15] = $port; - $fwconfigout{$key}[16] = $remark; - $fwconfigout{$key}[17] = $log; - $fwconfigout{$key}[18] = $time; - $fwconfigout{$key}[19] = $time_mon; - $fwconfigout{$key}[20] = $time_tue; - $fwconfigout{$key}[21] = $time_wed; - $fwconfigout{$key}[22] = $time_thu; - $fwconfigout{$key}[23] = $time_fri; - $fwconfigout{$key}[24] = $time_sat; - $fwconfigout{$key}[25] = $time_sun; - $fwconfigout{$key}[26] = $time_from; - $fwconfigout{$key}[27] = $time_to; - $fwconfigout{$key}[28] = ''; - $fwconfigout{$key}[29] = 'ALL'; - $fwconfigout{$key}[30] = ''; - $fwconfigout{$key}[31] = 'dnat'; - } - &General::writehasharray($fwdfwconfig,%fwconfig); - &General::writehasharray($outfwconfig,%fwconfigout); - } - } - @prot=(); - } - close(LOG); - @lines=(); -} -sub get_ip_from_domain -{ - $web=shift; - my $resolvedip; - my $checked; - my ($name,$aliases,$addrtype,$length,@addrs) = gethostbyname($web); - if(@addrs){ - $resolvedip=inet_ntoa($addrs[0]); - return $resolvedip; - } - return; -} -sub build_ovpn_grp -{ - my $now=localtime; - &General::readhasharray($confighosts,%hosts); - &General::readhasharray($confignets,%nets); - &General::readhasharray($configgroups,%groups); - &General::readhasharray($ovpnconfig,%configovpn); - &General::readhasharray($ccdconfig,%ccdconf); - &General::readhash($ovpnsettings,%settingsovpn); - #get ovpn nets - my @ovpnnets=(); - if($settingsovpn{'DOVPN_SUBNET'}){ - my ($net,$subnet)=split("/",$settingsovpn{'DOVPN_SUBNET'}); - push (@ovpnnets,"$net,$subnet,dynamic"); - print LOG "$now ->found dynamic OpenVPN net\n"; - } - foreach my $key (sort keys %ccdconf){ - my ($net,$subnet)=split("/",$ccdconf{$key}[1]); - $subnet=&General::iporsubtodec($subnet); - push (@ovpnnets,"$net,$subnet,$ccdconf{$key}[0]"); - print LOG "$now ->found OpenVPN static net $net/$subnet\n"; - } - foreach my $key (sort keys %configovpn){ - if ($configovpn{$key}[3] eq 'net'){ - my ($net,$subnet)=split("/",$configovpn{$key}[27]); - push (@ovpnnets,"$net,$subnet,$configovpn{$key}[2]"); - print LOG "$now ->found OpenVPN $net/$subnet $configovpn{$key}[2]\n"; - } - } - #add ovpn nets to customnetworks/groups - foreach my $line (@ovpnnets){ - my $now=localtime; - my ($net,$subnet,$name) = split(",",$line); - if (!&check_net($net,$subnet)){ - my $netkey = &General::findhasharraykey(%nets); - $name2=$name."(ovpn)".$net; - $name3="Custom Network"; - $nets{$netkey}[0] = $name2; - $nets{$netkey}[1] = $net; - $nets{$netkey}[2] = $subnet; - $nets{$netkey}[3] = ''; - $nets{$netkey}[4] = 1; - print LOG "$now ->added $name2 $net/$subnet to customnetworks\n"; - }else{ - print LOG "-> Custom Network with same IP already exist "$net/$subnet" (you can ignore this, if this run was manual from shell)\n"; - } - if($name2){ - my $grpkey = &General::findhasharraykey(%groups); - $groups{$grpkey}[0] = "ovpn"; - $groups{$grpkey}[1] = ''; - $groups{$grpkey}[2] = $name2; - $groups{$grpkey}[3] = "Custom Network"; - $groups{$grpkey}[4] = 0; - print LOG "$now ->added $name2 to customgroup ovpn\n"; - } - $name2=''; - } - @ovpnnets=(); - &General::writehasharray($confighosts,%hosts); - &General::writehasharray($configgroups,%groups); - &General::writehasharray($confignets,%nets); - print LOG "$now ->finished OVPN\n"; -} -sub process_p2p -{ - copy("/var/ipfire/outgoing/p2protocols","/var/ipfire/forward/p2protocols"); - chmod oct('0777'), '/var/ipfire/forward/p2protocols'; -} diff --git a/config/forwardfw/convert-portfw b/config/forwardfw/convert-portfw deleted file mode 100755 index a37383e..0000000 --- a/config/forwardfw/convert-portfw +++ /dev/null @@ -1,158 +0,0 @@ -#!/usr/bin/perl -############################################################################### -# # -# IPFire.org - A linux based firewall # -# Copyright (C) 2013 Alexander Marx amarx@ipfire.org # -# # -# This program is free software: you can redistribute it and/or modify # -# it under the terms of the GNU General Public License as published by # -# the Free Software Foundation, either version 3 of the License, or # -# (at your option) any later version. # -# # -# This program is distributed in the hope that it will be useful, # -# but WITHOUT ANY WARRANTY; without even the implied warranty of # -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # -# GNU General Public License for more details. # -# # -# You should have received a copy of the GNU General Public License # -# along with this program. If not, see http://www.gnu.org/licenses/. # -# # -############################################################################### -# # -# This script converts old portforwarding rules from old Firewall # -# to the new one. This is a 3-step process. # -# STEP1: read old config and normalize settings # -# STEP2: create new rules from old ones # -# STEP3: check if rule already exists, when not, put it into # -# /var/ipfire/forward/nat # -############################################################################### -require '/var/ipfire/general-functions.pl'; -my @values=(); -my @built_rules=(); -my %nat=(); -my $portfwconfig = "${General::swroot}/portfw/config"; -my $confignat = "${General::swroot}/forward/config"; -my ($key,$flag,$prot,$ipfireport,$target,$targetport,$active,$alias,$source,$remark); -my ($key1,$flag1,$prot1,$ipfireport1,$target1,$targetport1,$active1,$alias1,$source1,$remark1); -my $count=0; -my $jump; -if(! -d "/var/log/converters"){ mkdir("/var/log/converters");} -open(FILE, $portfwconfig) or die 'Unable to open config file.'; -my @current = <FILE>; -close(FILE); -open (LOG, ">/var/log/converters/portfw-convert.log") or die $!; -open(ALIAS, "${General::swroot}/ethernet/aliases") or die 'Unable to open aliases file.'; -my @alias = <ALIAS>; -close(ALIAS); -&get_config; -&build_rules; -&write_rules; -sub get_config -{ - print LOG "STEP 1: Get config from old portforward\n#########################################\n"; - foreach my $line (@current){ - if($jump eq '1'){ - $jump=''; - $count++; - next; - } - my $u=$count+1; - ($key,$flag,$prot,$ipfireport,$target,$targetport,$active,$alias,$source,$remark) = split(",",$line); - ($key1,$flag1,$prot1,$ipfireport1,$target1,$targetport1,$active1,$alias1,$source1,$remark1) = split(",",$current[$u]); - if ($flag1 eq '1'){ - $source=$source1; - $jump='1'; - } - my $now=localtime; - chomp($remark); - print LOG "$now processing-> KEY: $key FLAG: $flag PROT: $prot FIREPORT: $ipfireport TARGET: $target TGTPORT: $targetport ACTIVE: $active ALIAS: $alias SOURCE: $source REM: $remark Doublerule: $jump\n"; - push (@values,$prot.",".$ipfireport.",".$target.",".$targetport.",".$active.",".$alias.",".$source.",".$remark); - $count++; - } -} -sub build_rules -{ - print LOG "\nSTEP 2: Convert old portforwardrules in a useable format\n########################################################\n"; - my $src; - my $src1; - my $ipfireip; - my $count=0; - my $stop; - #build rules for new firewall - foreach my $line (@values){ - chomp ($line); - ($prot,$ipfireport,$target,$targetport,$active,$alias,$source,$remark)=split(",",$line); - $count++; - #get sourcepart - if($source eq '0.0.0.0/0'){ - $src = 'std_net_src'; - $src1 = 'ALL'; - }else{ - $src = 'src_addr'; - my ($a,$b) = split("/",$source); - $src1 = $a."/32"; - } - #get ipfire ip - if($alias eq '0.0.0.0'){ - $alias='ALL'; - }else{ - foreach my $ali (@alias){ - my ($alias_ip,$alias_active,$alias_name) = split (",",$ali); - if($alias eq $alias_ip){ - chomp($alias_name); - $alias=$alias_name; - } - } - } - $active = uc $active; - $prot = uc $prot; - chomp($remark); - push (@built_rules,"ACCEPT,FORWARDFW,$active,$src,$src1,tgt_addr,$target/32,ON,$prot,,TGT_PORT,$targetport,$remark,00:00,00:00,ON,$alias,$ipfireport,dnat"); - my $now=localtime; - print LOG "$now Converted-> KEY: $count ACCEPT,FORWARDFW,$active,$src,$src1,tgt_addr,$target/32,ON,$prot,,TGT_PORT,$targetport,$remark,00:00,00:00,ON,$alias,$ipfireport,dnat\n"; - } -} -sub write_rules -{ - my $skip=''; - my $id; - print LOG "\nSTEP 3: Create DNAT rules in new firewall\n#########################################\n"; - &General::readhasharray($confignat,%nat); - foreach my $line (@built_rules){ - $skip=''; - my ($action,$chain,$active,$src,$src1,$tgt,$tgt1,$use_prot,$prot,$dummy,$tgt_port,$tgt_port1,$remark,$from,$to,$use_port,$alias,$ipfireport,$dnat) = split (",",$line); - foreach my $key (sort keys %nat){ - if ($line eq "$nat{$key}[0],$nat{$key}[1],$nat{$key}[2],$nat{$key}[3],$nat{$key}[4],$nat{$key}[5],$nat{$key}[6],$nat{$key}[11],$nat{$key}[12],$nat{$key}[13],$nat{$key}[14],$nat{$key}[15],$nat{$key}[16],$nat{$key}[26],$nat{$key}[27],$nat{$key}[28],$nat{$key}[29],$nat{$key}[30],$nat{$key}[31]"){ - my $now=localtime; - print LOG "$now SKIP-> Rule $nat{$key}[0],$nat{$key}[1],$nat{$key}[2],$nat{$key}[3],$nat{$key}[4],$nat{$key}[5],$nat{$key}[6],$nat{$key}[11],$nat{$key}[12],$nat{$key}[13],$nat{$key}[14],$nat{$key}[15],$nat{$key}[16],$nat{$key}[26],$nat{$key}[27],$nat{$key}[28],$nat{$key}[29],$nat{$key}[30],$nat{$key}[31] ->EXISTS\n"; - $skip='1'; - } - } - if ($skip ne '1'){ - $id = &General::findhasharraykey(%nat); - $nat{$id}[0] = $action; - $nat{$id}[1] = $chain; - $nat{$id}[2] = $active; - $nat{$id}[3] = $src; - $nat{$id}[4] = $src1; - $nat{$id}[5] = $tgt; - $nat{$id}[6] = $tgt1; - $nat{$id}[11] = $use_prot; - $nat{$id}[12] = $prot; - $nat{$id}[13] = $dummy; - $nat{$id}[14] = $tgt_port; - $nat{$id}[15] = $tgt_port1; - $nat{$id}[16] = $remark; - $nat{$id}[26] = $from; - $nat{$id}[27] = $to; - $nat{$id}[28] = $use_port; - $nat{$id}[29] = $alias; - $nat{$id}[30] = $ipfireport; - $nat{$id}[31] = $dnat; - my $now=localtime; - print LOG "$now NEW RULE-> Rule $nat{$id}[0],$nat{$id}[1],$nat{$id}[2],$nat{$id}[3],$nat{$id}[4],$nat{$id}[5],$nat{$id}[6],$nat{$id}[11],$nat{$id}[12],$nat{$id}[13],$nat{$id}[14],$nat{$id}[15],$nat{$id}[16],$nat{$id}[26],$nat{$id}[27],$nat{$id}[28],$nat{$id}[29],$nat{$id}[30],$nat{$id}[31]\n"; - } - } - &General::writehasharray($confignat,%nat); -} -close (LOG); diff --git a/config/forwardfw/convert-xtaccess b/config/forwardfw/convert-xtaccess deleted file mode 100755 index d86c445..0000000 --- a/config/forwardfw/convert-xtaccess +++ /dev/null @@ -1,141 +0,0 @@ -#!/usr/bin/perl -############################################################################### -# # -# IPFire.org - A linux based firewall # -# Copyright (C) 2013 Alexander Marx amarx@ipfire.org # -# # -# This program is free software: you can redistribute it and/or modify # -# it under the terms of the GNU General Public License as published by # -# the Free Software Foundation, either version 3 of the License, or # -# (at your option) any later version. # -# # -# This program is distributed in the hope that it will be useful, # -# but WITHOUT ANY WARRANTY; without even the implied warranty of # -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # -# GNU General Public License for more details. # -# # -# You should have received a copy of the GNU General Public License # -# along with this program. If not, see http://www.gnu.org/licenses/. # -# # -############################################################################### -# # -#This script converts old xtaccess rules to new firewall # -#Logfiles are created under /var/log/converters # -# # -############################################################################### -my @current=(); -my @alias=(); -my %configinputfw=(); -require '/var/ipfire/general-functions.pl'; -my $xtaccessconfig = "${General::swroot}/xtaccess/config"; -my $inputfwconfig = "${General::swroot}/forward/input"; -my $aliasconfig = "${General::swroot}/ethernet/aliases"; -my $field0='ACCEPT'; -my $field1='INPUTFW'; -my $field2=''; #ON or emtpy -my $field3=''; #std_net_src or src_addr -my $field4=''; #ALL or IP-Address with /32 -my $field5='ipfire'; -my $field6=''; #Default IP or alias name -my $field11='ON'; #use target port -my $field12=''; #TCP or UDP -my $field13='All ICMP-Types'; -my $field14='TGT_PORT'; -my $field15=''; #Port Number -my $field16=''; #remark -my $field26='00:00'; -my $field27='00:00'; -my $field28 = ''; -my $field29 = 'ALL'; -my $field30 = ''; -my $field31 = 'dnat'; -open(FILE, $xtaccessconfig) or die 'Unable to open config file.'; -my @current = <FILE>; -close(FILE); -open(FILE1, $aliasconfig) or die 'Unable to open config file.'; -my @alias = <FILE1>; -close(FILE1); -&General::readhasharray($inputfwconfig,%configinputfw); - -foreach my $line (@current){ - my ($a,$b,$c,$d,$e,$f) = split (",",$line); - $e =~ s/\R//g; - if ($f gt ''){ - $f =~ s/\R//g; - $field16=$f; - } - #active or not - $field2=uc($d); - #get protocol - if ($a eq 'tcp'){ $field12 ='TCP';}else{$field12='UDP';} - #check source address - if ($b eq '0.0.0.0/0'){ - $field3='std_net_src'; - $field4='ALL'; - }elsif($b =~/^(\d{1,3}).(\d{1,3}).(\d{1,3}).(\d{1,3})$/){ - $field3='src_addr'; - $field4=$b."/32"; - }elsif ($b =~ /^(.*?)/(.*?)$/) { - $field3='src_addr'; - $field4=$b; - }else{ - print "Regel konnte nicht konvertiert werden!\n"; - } - #check ipfire address - if ($e eq '0.0.0.0'){ - $field6 = 'RED1'; - }else{ - foreach my $line (@alias){ - my ($ip,$state,$aliasname) = split (",",$line); - if ($ip eq $e){ - $aliasname =~ s/\R//g; - $field6 = $aliasname; - } - } - } - #get target port - $c=~ s/\R//g; - $c=~ tr/-/:/; - if ($c =~ /^(\D):(\d+)$/) { - $c = "1:$2"; - } - if ($c =~ /^(\d+):(\D)$/) { - $c = "$1:65535"; - } - $field15=$c; - my $key = &General::findhasharraykey (%configinputfw); - foreach my $i (0 .. 31) { $configinputfw{$key}[$i] = "";} - $configinputfw{$key}[0] = $field0; - $configinputfw{$key}[1] = $field1; - $configinputfw{$key}[2] = $field2; - $configinputfw{$key}[3] = $field3; - $configinputfw{$key}[4] = $field4; - $configinputfw{$key}[5] = $field5; - $configinputfw{$key}[6] = $field6; - $configinputfw{$key}[7] = ''; - $configinputfw{$key}[8] = ''; - $configinputfw{$key}[9] = ''; - $configinputfw{$key}[10] = ''; - $configinputfw{$key}[11] = $field11; - $configinputfw{$key}[12] = $field12; - $configinputfw{$key}[13] = $field13; - $configinputfw{$key}[14] = $field14; - $configinputfw{$key}[15] = $field15; - $configinputfw{$key}[16] = $field16; - $configinputfw{$key}[17] = ''; - $configinputfw{$key}[18] = ''; - $configinputfw{$key}[19] = ''; - $configinputfw{$key}[20] = ''; - $configinputfw{$key}[21] = ''; - $configinputfw{$key}[22] = ''; - $configinputfw{$key}[23] = ''; - $configinputfw{$key}[24] = ''; - $configinputfw{$key}[25] = ''; - $configinputfw{$key}[26] = $field26; - $configinputfw{$key}[27] = $field27; - $configinputfw{$key}[28] = $field28; - $configinputfw{$key}[29] = $field29; - $configinputfw{$key}[30] = $field30; - $configinputfw{$key}[31] = $field31; - &General::writehasharray($inputfwconfig,%configinputfw); -} diff --git a/config/forwardfw/firewall-lib.pl b/config/forwardfw/firewall-lib.pl deleted file mode 100755 index f1e8403..0000000 --- a/config/forwardfw/firewall-lib.pl +++ /dev/null @@ -1,256 +0,0 @@ -#!/usr/bin/perl -############################################################################### -# # -# IPFire.org - A linux based firewall # -# Copyright (C) 2013 Alexander Marx amarx@ipfire.org # -# # -# This program is free software: you can redistribute it and/or modify # -# it under the terms of the GNU General Public License as published by # -# the Free Software Foundation, either version 3 of the License, or # -# (at your option) any later version. # -# # -# This program is distributed in the hope that it will be useful, # -# but WITHOUT ANY WARRANTY; without even the implied warranty of # -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # -# GNU General Public License for more details. # -# # -# You should have received a copy of the GNU General Public License # -# along with this program. If not, see http://www.gnu.org/licenses/. # -# # -############################################################################### - -use strict; -no warnings 'uninitialized'; - -package fwlib; - -my %customnetwork=(); -my %customhost=(); -my %customgrp=(); -my %customservice=(); -my %customservicegrp=(); -my %ccdnet=(); -my %ccdhost=(); -my %ipsecconf=(); -my %ipsecsettings=(); -my %netsettings=(); -my %ovpnsettings=(); - -require '/var/ipfire/general-functions.pl'; - -my $confignet = "${General::swroot}/fwhosts/customnetworks"; -my $confighost = "${General::swroot}/fwhosts/customhosts"; -my $configgrp = "${General::swroot}/fwhosts/customgroups"; -my $configsrv = "${General::swroot}/fwhosts/customservices"; -my $configsrvgrp = "${General::swroot}/fwhosts/customservicegrp"; -my $configccdnet = "${General::swroot}/ovpn/ccd.conf"; -my $configccdhost = "${General::swroot}/ovpn/ovpnconfig"; -my $configipsec = "${General::swroot}/vpn/config"; -my $configovpn = "${General::swroot}/ovpn/settings"; -my $val; -my $field; - -&General::readhash("/var/ipfire/ethernet/settings", %netsettings); -&General::readhash("${General::swroot}/ovpn/settings", %ovpnsettings); -&General::readhash("${General::swroot}/vpn/settings", %ipsecsettings); - - -&General::readhasharray("$confignet", %customnetwork); -&General::readhasharray("$confighost", %customhost); -&General::readhasharray("$configgrp", %customgrp); -&General::readhasharray("$configccdnet", %ccdnet); -&General::readhasharray("$configccdhost", %ccdhost); -&General::readhasharray("$configipsec", %ipsecconf); -&General::readhasharray("$configsrv", %customservice); -&General::readhasharray("$configsrvgrp", %customservicegrp); - -sub get_srv_prot -{ - my $val=shift; - foreach my $key (sort {$a <=> $b} keys %customservice){ - if($customservice{$key}[0] eq $val){ - if ($customservice{$key}[0] eq $val){ - return $customservice{$key}[2]; - } - } - } -} -sub get_srvgrp_prot -{ - my $val=shift; - my @ips=(); - my $tcp; - my $udp; - my $icmp; - foreach my $key (sort {$a <=> $b} keys %customservicegrp){ - if($customservicegrp{$key}[0] eq $val){ - if (&get_srv_prot($customservicegrp{$key}[2]) eq 'TCP'){ - $tcp=1; - }elsif(&get_srv_prot($customservicegrp{$key}[2]) eq 'UDP'){ - $udp=1; - }elsif(&get_srv_prot($customservicegrp{$key}[2]) eq 'ICMP'){ - $icmp=1; - } - } - } - if ($tcp eq '1'){push (@ips,'TCP');} - if ($udp eq '1'){push (@ips,'UDP');} - if ($icmp eq '1'){push (@ips,'ICMP');} - my $back=join(",",@ips); - return $back; - -} - - -sub get_srv_port -{ - my $val=shift; - my $field=shift; - my $prot=shift; - foreach my $key (sort {$a <=> $b} keys %customservice){ - if($customservice{$key}[0] eq $val){ - if($customservice{$key}[2] eq $prot){ - return $customservice{$key}[$field]; - } - } - } -} -sub get_srvgrp_port -{ - my $val=shift; - my $prot=shift; - my $back; - my $value; - my @ips=(); - foreach my $key (sort {$a <=> $b} keys %customservicegrp){ - if($customservicegrp{$key}[0] eq $val){ - if ($prot ne 'ICMP'){ - $value=&get_srv_port($customservicegrp{$key}[2],1,$prot); - }elsif ($prot eq 'ICMP'){ - $value=&get_srv_port($customservicegrp{$key}[2],3,$prot); - } - push (@ips,$value) if ($value ne '') ; - } - } - if($prot ne 'ICMP'){ - if ($#ips gt 0){$back="-m multiport --dports ";}else{$back="--dport ";} - }elsif ($prot eq 'ICMP'){ - $back="--icmp-type "; - } - - $back.=join(",",@ips); - return $back; -} -sub get_ipsec_net_ip -{ - my $val=shift; - my $field=shift; - foreach my $key (sort {$a <=> $b} keys %ipsecconf){ - if($ipsecconf{$key}[1] eq $val){ - return $ipsecconf{$key}[$field]; - } - } -} -sub get_ipsec_host_ip -{ - my $val=shift; - my $field=shift; - foreach my $key (sort {$a <=> $b} keys %ipsecconf){ - if($ipsecconf{$key}[1] eq $val){ - return $ipsecconf{$key}[$field]; - } - } -} -sub get_ovpn_n2n_ip -{ - my $val=shift; - my $field=shift; - foreach my $key (sort {$a <=> $b} keys %ccdhost){ - if($ccdhost{$key}[1] eq $val){ - return $ccdhost{$key}[$field]; - } - } -} -sub get_ovpn_host_ip -{ - my $val=shift; - my $field=shift; - foreach my $key (sort {$a <=> $b} keys %ccdhost){ - if($ccdhost{$key}[1] eq $val){ - return $ccdhost{$key}[$field]; - } - } -} -sub get_ovpn_net_ip -{ - - my $val=shift; - my $field=shift; - foreach my $key (sort {$a <=> $b} keys %ccdnet){ - if($ccdnet{$key}[0] eq $val){ - return $ccdnet{$key}[$field]; - } - } -} -sub get_grp_ip -{ - my $val=shift; - my $src=shift; - foreach my $key (sort {$a <=> $b} keys %customgrp){ - if ($customgrp{$key}[0] eq $val){ - &get_address($customgrp{$key}[3],$src); - } - } - -} -sub get_std_net_ip -{ - my $val=shift; - my $con=shift; - if ($val eq 'ALL'){ - return "0.0.0.0/0.0.0.0"; - }elsif($val eq 'GREEN'){ - return "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"; - }elsif($val eq 'ORANGE'){ - return "$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}"; - }elsif($val eq 'BLUE'){ - return "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}"; - }elsif($val eq 'RED'){ - return "0.0.0.0/0 -o $con"; - }elsif($val =~ /OpenVPN/i){ - return "$ovpnsettings{'DOVPN_SUBNET'}"; - }elsif($val =~ /IPsec/i){ - return "$ipsecsettings{'RW_NET'}"; - }elsif($val eq 'IPFire'){ - return ; - } -} -sub get_net_ip -{ - my $val=shift; - foreach my $key (sort {$a <=> $b} keys %customnetwork){ - if($customnetwork{$key}[0] eq $val){ - return "$customnetwork{$key}[1]/$customnetwork{$key}[2]"; - } - } -} -sub get_host_ip -{ - my $val=shift; - my $src=shift; - foreach my $key (sort {$a <=> $b} keys %customhost){ - if($customhost{$key}[0] eq $val){ - if ($customhost{$key}[1] eq 'mac' && $src eq 'src'){ - return "-m mac --mac-source $customhost{$key}[2]"; - }elsif($customhost{$key}[1] eq 'ip' && $src eq 'src'){ - return "$customhost{$key}[2]"; - }elsif($customhost{$key}[1] eq 'ip' && $src eq 'tgt'){ - return "$customhost{$key}[2]"; - }elsif($customhost{$key}[1] eq 'mac' && $src eq 'tgt'){ - return "none"; - } - } - } -} - -return 1; diff --git a/config/forwardfw/firewall-policy b/config/forwardfw/firewall-policy deleted file mode 100755 index 6f7e95c..0000000 --- a/config/forwardfw/firewall-policy +++ /dev/null @@ -1,124 +0,0 @@ -#!/bin/sh -############################################################################### -# # -# IPFire.org - A linux based firewall # -# Copyright (C) 2013 Alexander Marx amarx@ipfire.org # -# # -# This program is free software: you can redistribute it and/or modify # -# it under the terms of the GNU General Public License as published by # -# the Free Software Foundation, either version 3 of the License, or # -# (at your option) any later version. # -# # -# This program is distributed in the hope that it will be useful, # -# but WITHOUT ANY WARRANTY; without even the implied warranty of # -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # -# GNU General Public License for more details. # -# # -# You should have received a copy of the GNU General Public License # -# along with this program. If not, see http://www.gnu.org/licenses/. # -# # -############################################################################### - -eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) -eval $(/usr/local/bin/readhash /var/ipfire/forward/settings) -eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) - -iptables -F POLICYFWD -iptables -F POLICYOUT -iptables -F POLICYIN - -if [ -f "/var/ipfire/red/iface" ]; then - IFACE="$(</var/ipfire/red/iface)" -fi - -# Figure out what devices are configured. -HAVE_BLUE="false" -HAVE_ORANGE="false" - -case "${CONFIG_TYPE}" in - 2) - HAVE_BLUE="true" - ;; - 3) - HAVE_ORANGE="true" - ;; - 4) - HAVE_BLUE="true" - HAVE_ORANGE="true" - ;; -esac - -# INPUT -case "${FWPOLICY2}" in - REJECT) - if [ "${DROPINPUT}" = "on" ]; then - /sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "REJECT_INPUT" - fi - /sbin/iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_INPUT" - ;; - *) # DROP - if [ "${DROPINPUT}" = "on" ]; then - /sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT" - fi - /sbin/iptables -A POLICYIN -j DROP -m comment --comment "DROP_INPUT" - ;; -esac - -# FORWARD -case "${POLICY}" in - MODE1) - case "${FWPOLICY}" in - REJECT) - if [ "${DROPFORWARD}" = "on" ]; then - /sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD" - fi - /sbin/iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD" - ;; - *) # DROP - if [ "${DROPFORWARD}" = "on" ]; then - /sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD" - fi - /sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD" - ;; - esac - ;; - - *) - if [ -n "${IFACE}" ]; then - if [ "${HAVE_BLUE}" = "true" ] && [ -n "${BLUE_DEV}" ]; then - /sbin/iptables -A POLICYFWD -i "${BLUE_DEV}" ! -o "${IFACE}" -j DROP - fi - if [ "${HAVE_ORANGE}" = "true" ] && [ -n "${ORANGE_DEV}" ]; then - /sbin/iptables -A POLICYFWD -i "${ORANGE_DEV}" ! -o "${IFACE}" -j DROP - fi - fi - /sbin/iptables -A POLICYFWD -j ACCEPT - /sbin/iptables -A POLICYFWD -m comment --comment "DROP_FORWARD" -j DROP - ;; -esac - -# OUTGOING -case "${POLICY1}" in - MODE1) - case "${FWPOLICY1}" in - REJECT) - if [ "${DROPOUTGOING}" = "on" ]; then - /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT" - fi - /sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT" - ;; - *) # DROP - if [ "${DROPOUTGOING}" == "on" ]; then - /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT" - fi - /sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT" - ;; - esac - ;; - *) - /sbin/iptables -A POLICYOUT -j ACCEPT - /sbin/iptables -A POLICYOUT -m comment --comment "DROP_OUTPUT" -j DROP - ;; -esac - -exit 0 diff --git a/config/forwardfw/p2protocols b/config/forwardfw/p2protocols deleted file mode 100644 index 7000581..0000000 --- a/config/forwardfw/p2protocols +++ /dev/null @@ -1,9 +0,0 @@ -Applejuice;apple;off; -Ares;ares;off; -Bittorrent;bit;off; -DirectConnect;dc;off; -Edonkey;edk;off; -Gnutella;gnu;off; -KaZaA;kazaa;off; -SoulSeek;soul;off; -WinMX;winmx;off; diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl deleted file mode 100755 index b3be47d..0000000 --- a/config/forwardfw/rules.pl +++ /dev/null @@ -1,635 +0,0 @@ -#!/usr/bin/perl -############################################################################### -# # -# IPFire.org - A linux based firewall # -# Copyright (C) 2013 Alexander Marx amarx@ipfire.org # -# # -# This program is free software: you can redistribute it and/or modify # -# it under the terms of the GNU General Public License as published by # -# the Free Software Foundation, either version 3 of the License, or # -# (at your option) any later version. # -# # -# This program is distributed in the hope that it will be useful, # -# but WITHOUT ANY WARRANTY; without even the implied warranty of # -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # -# GNU General Public License for more details. # -# # -# You should have received a copy of the GNU General Public License # -# along with this program. If not, see http://www.gnu.org/licenses/. # -# # -############################################################################### - -use strict; -use Time::Local; -no warnings 'uninitialized'; - -# enable only the following on debugging purpose -#use warnings; -#use CGI::Carp 'fatalsToBrowser'; - -my %fwdfwsettings=(); -my %defaultNetworks=(); -my %configfwdfw=(); -my %color=(); -my %icmptypes=(); -my %ovpnSettings=(); -my %customgrp=(); -our %sourcehash=(); -our %targethash=(); -my @timeframe=(); -my %configinputfw=(); -my %configoutgoingfw=(); -my %confignatfw=(); -my %aliases=(); -my @DPROT=(); -my @p2ps=(); -require '/var/ipfire/general-functions.pl'; -require "${General::swroot}/lang.pl"; -require "${General::swroot}/forward/bin/firewall-lib.pl"; - -my $configfwdfw = "${General::swroot}/forward/config"; -my $configinput = "${General::swroot}/forward/input"; -my $configoutgoing = "${General::swroot}/forward/outgoing"; -my $p2pfile = "${General::swroot}/forward/p2protocols"; -my $configgrp = "${General::swroot}/fwhosts/customgroups"; -my $netsettings = "${General::swroot}/ethernet/settings"; -my $errormessage = ''; -my $orange = ''; -my $green = ''; -my $blue = ''; -my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT); -my $CHAIN = "FORWARDFW"; -my $conexists = 'off'; -my $command = 'iptables -A'; -my $dnat =''; -my $snat =''; - -&General::readhash("${General::swroot}/forward/settings", %fwdfwsettings); -&General::readhash("$netsettings", %defaultNetworks); -&General::readhasharray($configfwdfw, %configfwdfw); -&General::readhasharray($configinput, %configinputfw); -&General::readhasharray($configoutgoing, %configoutgoingfw); -&General::readhasharray($configgrp, %customgrp); -&General::get_aliases(%aliases); - -#check if we have an internetconnection -open (CONN,"/var/ipfire/red/iface"); -my $con = <CONN>; -close(CONN); -if (-f "/var/ipfire/red/active"){ - $conexists='on'; -} -open (CONN1,"/var/ipfire/red/local-ipaddress"); -my $redip = <CONN1>; -close(CONN1); -################# -# DEBUG/TEST # -################# -my $MODE=0; # 0 - normal operation - # 1 - print configline and rules to console - # -################# -my $param=shift; - -if($param eq 'flush'){ - if ($MODE eq '1'){ - print " Flushing chains...\n"; - } - &flush; -}else{ - if ($MODE eq '1'){ - print " Flushing chains...\n"; - } - &flush; - if ($MODE eq '1'){ - print " Preparing rules...\n"; - } - &preparerules; - if($MODE eq '0'){ - if ($fwdfwsettings{'POLICY'} eq 'MODE1'){ - &p2pblock; - system ("/usr/sbin/firewall-policy"); - }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){ - &p2pblock; - system ("iptables -A $CHAIN -m conntrack --ctstate NEW -j ACCEPT"); - system ("/usr/sbin/firewall-policy"); - system ("/etc/sysconfig/firewall.local reload"); - } - } -} -sub flush -{ - system ("iptables -F FORWARDFW"); - system ("iptables -F INPUTFW"); - system ("iptables -F OUTGOINGFW"); - system ("iptables -t nat -F NAT_DESTINATION"); - system ("iptables -t nat -F NAT_SOURCE"); -} -sub preparerules -{ - if (! -z "${General::swroot}/forward/config"){ - &buildrules(%configfwdfw); - } - if (! -z "${General::swroot}/forward/input"){ - &buildrules(%configinputfw); - } - if (! -z "${General::swroot}/forward/outgoing"){ - &buildrules(%configoutgoingfw); - } -} -sub buildrules -{ - my $hash=shift; - my $STAG; - my $natip; - my $snatport; - my $fireport; - my $nat; - my $fwaccessdport; - my $natchain; - my $icmptype; - foreach my $key (sort {$a <=> $b} keys %$hash){ - next if (($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1') && $conexists eq 'off' ); - $command="iptables -A"; - if ($$hash{$key}[28] eq 'ON'){ - $command='iptables -t nat -A'; - $natip=&get_nat_ip($$hash{$key}[29],$$hash{$key}[31]); - if($$hash{$key}[31] eq 'dnat'){ - $nat='DNAT'; - if ($$hash{$key}[30] =~ /|/){ - $$hash{$key}[30]=~ tr/|/,/; - $fireport='-m multiport --dport '.$$hash{$key}[30]; - }else{ - $fireport='--dport '.$$hash{$key}[30] if ($$hash{$key}[30]>0); - } - }else{ - $nat='SNAT'; - } - } - $STAG=''; - if($$hash{$key}[2] eq 'ON'){ - #get source ip's - if ($$hash{$key}[3] eq 'cust_grp_src'){ - foreach my $grp (sort {$a <=> $b} keys %customgrp){ - if($customgrp{$grp}[0] eq $$hash{$key}[4]){ - &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"src"); - } - } - }else{ - &get_address($$hash{$key}[3],$$hash{$key}[4],"src"); - } - #get target ip's - if ($$hash{$key}[5] eq 'cust_grp_tgt'){ - foreach my $grp (sort {$a <=> $b} keys %customgrp){ - if($customgrp{$grp}[0] eq $$hash{$key}[6]){ - &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"tgt"); - } - } - }elsif($$hash{$key}[5] eq 'ipfire' ){ - if($$hash{$key}[6] eq 'GREEN'){ - $targethash{$key}[0]=$defaultNetworks{'GREEN_ADDRESS'}; - } - if($$hash{$key}[6] eq 'BLUE'){ - $targethash{$key}[0]=$defaultNetworks{'BLUE_ADDRESS'}; - } - if($$hash{$key}[6] eq 'ORANGE'){ - $targethash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'}; - } - if($$hash{$key}[6] eq 'ALL'){ - $targethash{$key}[0]='0.0.0.0/0'; - } - if($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1'){ - open(FILE, "/var/ipfire/red/local-ipaddress")or die "Couldn't open local-ipaddress"; - $targethash{$key}[0]= <FILE>; - close(FILE); - }else{ - foreach my $alias (sort keys %aliases){ - if ($$hash{$key}[6] eq $alias){ - $targethash{$key}[0]=$aliases{$alias}{'IPT'}; - } - } - } - }else{ - &get_address($$hash{$key}[5],$$hash{$key}[6],"tgt"); - } - ##get source prot and port - $SRC_TGT='SRC'; - $SPORT = &get_port($hash,$key); - $SRC_TGT=''; - - ##get target prot and port - $DPROT=&get_prot($hash,$key); - - if ($DPROT eq ''){$DPROT=' ';} - @DPROT=split(",",$DPROT); - - #get time if defined - if($$hash{$key}[18] eq 'ON'){ - my ($time1,$time2,$daylight); - my $daylight=$$hash{$key}[28]; - $time1=&get_time($$hash{$key}[26],$daylight); - $time2=&get_time($$hash{$key}[27],$daylight); - if($$hash{$key}[19] ne ''){push (@timeframe,"Mon");} - if($$hash{$key}[20] ne ''){push (@timeframe,"Tue");} - if($$hash{$key}[21] ne ''){push (@timeframe,"Wed");} - if($$hash{$key}[22] ne ''){push (@timeframe,"Thu");} - if($$hash{$key}[23] ne ''){push (@timeframe,"Fri");} - if($$hash{$key}[24] ne ''){push (@timeframe,"Sat");} - if($$hash{$key}[25] ne ''){push (@timeframe,"Sun");} - $TIME=join(",",@timeframe); - - $TIMEFROM="--timestart $time1 "; - $TIMETILL="--timestop $time2 "; - $TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL"; - } - if ($MODE eq '1'){ - print "NR:$key "; - foreach my $i (0 .. $#{$$hash{$key}}){ - print "$i: $$hash{$key}[$i] "; - } - print "\n"; - print"##################################\n"; - #print rules to console - foreach my $DPROT (@DPROT){ - $DPORT = &get_port($hash,$key,$DPROT); - $PROT=$DPROT; - $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' '); - foreach my $a (sort keys %sourcehash){ - foreach my $b (sort keys %targethash){ - if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){ - if($DPROT ne ''){ - if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";} - if(substr($DPORT, 2, 4) eq 'icmp'){ - my @icmprule= split(",",substr($DPORT, 12,)); - foreach (@icmprule){ - $icmptype="--icmp-type "; - if ($_ eq "BLANK") { - $icmptype=""; - $_=""; - } - if ($$hash{$key}[17] eq 'ON'){ - print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j LOG\n"; - } - print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j $$hash{$key}[0]\n"; - } - }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){ - $natchain='NAT_DESTINATION'; - if ($$hash{$key}[17] eq 'ON'){ - print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n"; - } - my ($ip,$sub) =split("/",$targethash{$b}[0]); - #Process NAT with servicegroup used - if ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[14] eq 'cust_srvgrp'){ - print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip $DPORT\n"; - $fwaccessdport=$DPORT; - }else{ - print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n"; - $DPORT =~ s/-/:/g; - if ($DPORT){ - $fwaccessdport="--dport ".substr($DPORT,1,); - }elsif(! $DPORT && $$hash{$key}[30] ne ''){ - if ($$hash{$key}[30]=~m/|/i){ - $$hash{$key}[30] =~ s/|/,/g; - $fwaccessdport="-m multiport --dport $$hash{$key}[30]"; - }else{ - $fwaccessdport="--dport $$hash{$key}[30]"; - } - } - } - print "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n"; - next; - }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){ - $natchain='NAT_SOURCE'; - print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n"; - } - if ($$hash{$key}[17] eq 'ON' ){ - print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; - } - if ($PROT ne '-p ICMP'){ - print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; - } - if ($PROT eq '-p ICMP' && $$hash{$key}[9] eq 'All ICMP-Types'){ - print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; - } - } - } - } - } - print"\n"; - } - }elsif($MODE eq '0'){ - foreach my $DPROT (@DPROT){ - $DPORT = &get_port($hash,$key,$DPROT); - $PROT=$DPROT; - $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' '); - foreach my $a (sort keys %sourcehash){ - foreach my $b (sort keys %targethash){ - if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){ - if($DPROT ne ''){ - if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";} - #Process ICMP RULE - if(substr($DPORT, 2, 4) eq 'icmp'){ - my @icmprule= split(",",substr($DPORT, 12,)); - foreach (@icmprule){ - $icmptype="--icmp-type "; - if ($_ eq "BLANK") { - $icmptype=""; - $_=""; - } - if ($$hash{$key}[17] eq 'ON'){ - system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j LOG"); - } - system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j $$hash{$key}[0]"); - } - #PROCESS DNAT RULE (Portforward) - }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){ - $natchain='NAT_DESTINATION'; - if ($$hash{$key}[17] eq 'ON'){ - system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n"; - } - my ($ip,$sub) =split("/",$targethash{$b}[0]); - #Process NAT with servicegroup used - if ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[14] eq 'cust_srvgrp'){ - system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip $DPORT\n"; - $fwaccessdport=$DPORT; - }else{ - system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n"; - $DPORT =~ s/-/:/g; - if ($DPORT){ - $fwaccessdport="--dport ".substr($DPORT,1,); - }elsif(! $DPORT && $$hash{$key}[30] ne ''){ - if ($$hash{$key}[30]=~m/|/i){ - $$hash{$key}[30] =~ s/|/,/g; - $fwaccessdport="-m multiport --dport $$hash{$key}[30]"; - }else{ - $fwaccessdport="--dport $$hash{$key}[30]"; - } - } - } - system "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n"; - next; - #PROCESS SNAT RULE - }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){ - $natchain='NAT_SOURCE'; - system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n"; - } - if ($$hash{$key}[17] eq 'ON' && substr($DPORT, 2, 4) ne 'icmp'){ - system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; - } - #PROCESS EVERY OTHER RULE (If NOT ICMP, else the rule would be applied double) - if ($PROT ne '-p ICMP'){ - system "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; - } - #PROCESS Prot ICMP and type = All ICMP-Types - if ($PROT eq '-p ICMP' && $$hash{$key}[9] eq 'All ICMP-Types'){ - system "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; - } - } - } - } - } - } - } - } - %sourcehash=(); - %targethash=(); - undef $TIME; - undef $TIMEFROM; - undef $TIMETILL; - undef $fireport; - } -} -sub get_nat_ip -{ - my $val=shift; - my $type=shift; - my $result; - if($val eq 'RED' || $val eq 'GREEN' || $val eq 'ORANGE' || $val eq 'BLUE'){ - $result=$defaultNetworks{$val.'_ADDRESS'}; - }elsif($val eq 'ALL'){ - $result='-i '.$con; - }elsif($val eq 'Default IP' && $type eq 'dnat'){ - $result='-d '.$redip; - }elsif($val eq 'Default IP' && $type eq 'snat'){ - $result=$redip; - }else{ - foreach my $al (sort keys %aliases){ - if($val eq $al && $type eq 'dnat'){ - $result='-d '.$aliases{$al}{'IPT'}; - }elsif($val eq $al && $type eq 'snat'){ - $result=$aliases{$al}{'IPT'}; - } - } - } - return $result; -} -sub get_time -{ - my $val=shift; - my $val1=shift; - my $time; - my $minutes; - my $ruletime; - $minutes = &utcmin($val); - $ruletime = $minutes + &time_get_utc($val); - if ($ruletime < 0){$ruletime +=1440;} - if ($ruletime > 1440){$ruletime -=1440;} - $time=sprintf "%02d:%02d", $ruletime / 60, $ruletime % 60; - return $time; -} -sub time_get_utc -{ - # Calculates the UTCtime from a given time - my $val=shift; - my @localtime=localtime(time); - my @gmtime=gmtime(time); - my $diff = ($gmtime[2]*60+$gmtime[1]%60)-($localtime[2]*60+$localtime[1]%60); - return $diff; -} -sub utcmin -{ - my $ruletime=shift; - my ($hrs,$min) = split(":",$ruletime); - my $newtime = $hrs*60+$min; - return $newtime; -} -sub p2pblock -{ - my $P2PSTRING; - my $DO; - open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile"; - @p2ps = <FILE>; - close FILE; - my $CMD = "-m ipp2p"; - foreach my $p2pentry (sort @p2ps) { - my @p2pline = split( /;/, $p2pentry ); - if ( $fwdfwsettings{'POLICY'} eq 'MODE1' ) { - $DO = "ACCEPT"; - if ("$p2pline[2]" eq "on") { - $P2PSTRING = "$P2PSTRING --$p2pline[1]"; - } - }else { - $DO = "RETURN"; - if ("$p2pline[2]" eq "off") { - $P2PSTRING = "$P2PSTRING --$p2pline[1]"; - } - } - } - if ($MODE eq 1){ - if($P2PSTRING){ - print"/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO\n"; - } - }else{ - if($P2PSTRING){ - system("/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO"); - } - } -} -sub get_address -{ - my $base=shift; #source of checking ($configfwdfw{$key}[x] or groupkey - my $base2=shift; - my $type=shift; #src or tgt - my $hash; - if ($type eq 'src'){ - $hash=%sourcehash; - }else{ - $hash=%targethash; - } - my $key = &General::findhasharraykey($hash); - if($base eq 'src_addr' || $base eq 'tgt_addr' ){ - if (&General::validmac($base2)){ - $$hash{$key}[0] = "-m mac --mac-source $base2"; - }else{ - $$hash{$key}[0] = $base2; - } - }elsif($base eq 'std_net_src' || $base eq 'std_net_tgt' || $base eq 'Standard Network'){ - $$hash{$key}[0]=&fwlib::get_std_net_ip($base2,$con); - }elsif($base eq 'cust_net_src' || $base eq 'cust_net_tgt' || $base eq 'Custom Network'){ - $$hash{$key}[0]=&fwlib::get_net_ip($base2); - }elsif($base eq 'cust_host_src' || $base eq 'cust_host_tgt' || $base eq 'Custom Host'){ - $$hash{$key}[0]=&fwlib::get_host_ip($base2,$type); - }elsif($base eq 'ovpn_net_src' || $base eq 'ovpn_net_tgt' || $base eq 'OpenVPN static network'){ - $$hash{$key}[0]=&fwlib::get_ovpn_net_ip($base2,1); - }elsif($base eq 'ovpn_host_src' ||$base eq 'ovpn_host_tgt' || $base eq 'OpenVPN static host'){ - $$hash{$key}[0]=&fwlib::get_ovpn_host_ip($base2,33); - }elsif($base eq 'ovpn_n2n_src' ||$base eq 'ovpn_n2n_tgt' || $base eq 'OpenVPN N-2-N'){ - $$hash{$key}[0]=&fwlib::get_ovpn_n2n_ip($base2,11); - }elsif($base eq 'ipsec_net_src' || $base eq 'ipsec_net_tgt' || $base eq 'IpSec Network'){ - $$hash{$key}[0]=&fwlib::get_ipsec_net_ip($base2,11); - }elsif($base eq 'ipfire_src' ){ - if($base2 eq 'GREEN'){ - $$hash{$key}[0]=$defaultNetworks{'GREEN_ADDRESS'}; - } - if($base2 eq 'BLUE'){ - $$hash{$key}[0]=$defaultNetworks{'BLUE_ADDRESS'}; - } - if($base2 eq 'ORANGE'){ - $$hash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'}; - } - if($base2 eq 'ALL'){ - $$hash{$key}[0]='0.0.0.0/0'; - } - if($base2 eq 'RED' || $base2 eq 'RED1'){ - open(FILE, "/var/ipfire/red/local-ipaddress")or die "Couldn't open local-ipaddress"; - $$hash{$key}[0]= <FILE>; - close(FILE); - }else{ - foreach my $alias (sort keys %aliases){ - if ($base2 eq $alias){ - $$hash{$key}[0]=$aliases{$alias}{'IPT'}; - } - } - } - } -} -sub get_prot -{ - my $hash=shift; - my $key=shift; - #check AH,GRE,ESP or ICMP - if ($$hash{$key}[7] ne 'ON' && $$hash{$key}[11] ne 'ON'){ - return "$$hash{$key}[8]"; - } - if ($$hash{$key}[7] eq 'ON' || $$hash{$key}[11] eq 'ON'){ - #check if servicegroup or service - if($$hash{$key}[14] eq 'cust_srv'){ - return &fwlib::get_srv_prot($$hash{$key}[15]); - }elsif($$hash{$key}[14] eq 'cust_srvgrp'){ - return &fwlib::get_srvgrp_prot($$hash{$key}[15]); - }elsif (($$hash{$key}[10] ne '' || $$hash{$key}[15] ne '') && $$hash{$key}[8] eq ''){ #when ports are used and prot set to "all" - return "TCP,UDP"; - }elsif (($$hash{$key}[10] ne '' || $$hash{$key}[15] ne '') && ($$hash{$key}[8] eq 'TCP' || $$hash{$key}[8] eq 'UDP')){ #when ports are used and prot set to "tcp" or "udp" - return "$$hash{$key}[8]"; - }elsif (($$hash{$key}[10] eq '' && $$hash{$key}[15] eq '') && $$hash{$key}[8] ne 'ICMP'){ #when ports are NOT used and prot NOT set to "ICMP" - return "$$hash{$key}[8]"; - }else{ - return "$$hash{$key}[8]"; - } - } - #DNAT - if ($SRC_TGT eq '' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[11] eq '' && $$hash{$key}[12] ne ''){ - return "$$hash{$key}[8]"; - } -} -sub get_port -{ - my $hash=shift; - my $key=shift; - my $prot=shift; - if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){ - if ($$hash{$key}[10] ne ''){ - $$hash{$key}[10] =~ s/|/,/g; - if(index($$hash{$key}[10],",") > 0){ - return "-m multiport --sport $$hash{$key}[10] "; - }else{ - if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ||($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat') ){ - return "--sport $$hash{$key}[10] "; - }else{ - return ":$$hash{$key}[10]"; - } - } - } - }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){ - if($$hash{$key}[14] eq 'TGT_PORT'){ - if ($$hash{$key}[15] ne ''){ - $$hash{$key}[15] =~ s/|/,/g; - if(index($$hash{$key}[15],",") > 0){ - return "-m multiport --dport $$hash{$key}[15] "; - }else{ - if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ){ - return "--dport $$hash{$key}[15] "; - }else{ - $$hash{$key}[15] =~ s/:/-/g; - return ":$$hash{$key}[15]"; - } - } - } - }elsif($$hash{$key}[14] eq 'cust_srv'){ - if ($prot ne 'ICMP'){ - if($$hash{$key}[31] eq 'dnat' && $$hash{$key}[28] eq 'ON'){ - return ":".&fwlib::get_srv_port($$hash{$key}[15],1,$prot); - }else{ - return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot); - } - }elsif($prot eq 'ICMP' && $$hash{$key}[11] eq 'ON'){ #When PROT is ICMP and "use targetport is checked, this is an icmp-service - return "--icmp-type ".&fwlib::get_srv_port($$hash{$key}[15],3,$prot); - } - }elsif($$hash{$key}[14] eq 'cust_srvgrp'){ - if ($prot ne 'ICMP'){ - return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot); - } - elsif($prot eq 'ICMP'){ - return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot); - } - } - } - #CHECK ICMP - if ($$hash{$key}[7] ne 'ON' && $$hash{$key}[11] ne 'ON' && $SRC_TGT eq ''){ - if($$hash{$key}[9] ne '' && $$hash{$key}[9] ne 'All ICMP-Types'){ - return "--icmp-type $$hash{$key}[9] "; - }elsif($$hash{$key}[9] eq 'All ICMP-Types'){ - return; - } - } -} diff --git a/config/rootfiles/common/configroot b/config/rootfiles/common/configroot index 7796d86..7fdc983 100644 --- a/config/rootfiles/common/configroot +++ b/config/rootfiles/common/configroot @@ -49,17 +49,17 @@ var/ipfire/extrahd #var/ipfire/extrahd/partitions #var/ipfire/extrahd/scan #var/ipfire/extrahd/settings -var/ipfire/forward -#var/ipfire/forward/bin -#var/ipfire/forward/bin/firewall-lib.pl -#var/ipfire/forward/bin/rules.pl -#var/ipfire/forward/config -#var/ipfire/forward/dmz -#var/ipfire/forward/input -#var/ipfire/forward/nat -#var/ipfire/forward/outgoing -#var/ipfire/forward/p2protocols -#var/ipfire/forward/settings +var/ipfire/firewall +#var/ipfire/firewall/bin +#var/ipfire/firewall/bin/firewall-lib.pl +#var/ipfire/firewall/bin/rules.pl +#var/ipfire/firewall/config +#var/ipfire/firewall/dmz +#var/ipfire/firewall/input +#var/ipfire/firewall/nat +#var/ipfire/firewall/outgoing +#var/ipfire/firewall/p2protocols +#var/ipfire/firewall/settings var/ipfire/fwhosts #var/ipfire/fwhosts/customgroups #var/ipfire/fwhosts/customhosts diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/common/misc-progs index 2463ba2..1ab4dec 100644 --- a/config/rootfiles/common/misc-progs +++ b/config/rootfiles/common/misc-progs @@ -16,7 +16,7 @@ usr/local/bin/logwatch #usr/local/bin/mpfirectrl usr/local/bin/openvpnctrl #usr/local/bin/outgoingfwctrl -usr/local/bin/forwardfwctrl +usr/local/bin/firewallctrl usr/local/bin/pakfire usr/local/bin/qosctrl usr/local/bin/rebuildhosts diff --git a/config/rootfiles/core/fifteen/filelists/firewall b/config/rootfiles/core/fifteen/filelists/firewall index c5c0dac..3edde8e 100644 --- a/config/rootfiles/core/fifteen/filelists/firewall +++ b/config/rootfiles/core/fifteen/filelists/firewall @@ -9,16 +9,14 @@ usr/sbin/convert-outgoingfw usr/sbin/convert-portfw usr/sbin/convert-xtaccess usr/sbin/firewall-policy -var/ipfire/forward -var/ipfire/forward/bin/firewall-lib.pl -var/ipfire/forward/bin/rules.pl -var/ipfire/forward/config -var/ipfire/forward/dmz -var/ipfire/forward/input -var/ipfire/forward/nat -var/ipfire/forward/outgoing -var/ipfire/forward/p2protocols -var/ipfire/forward/settings +var/ipfire/firewall +var/ipfire/firewall/bin/firewall-lib.pl +var/ipfire/firewall/bin/rules.pl +var/ipfire/firewall/config +var/ipfire/firewall/input +var/ipfire/firewall/outgoing +var/ipfire/firewall/p2protocols +var/ipfire/firewall/settings var/ipfire/fwhosts var/ipfire/fwhosts/customhosts var/ipfire/fwhosts/customnetworks diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi index fde7e5e..802b2be 100755 --- a/html/cgi-bin/firewall.cgi +++ b/html/cgi-bin/firewall.cgi @@ -29,13 +29,13 @@ no warnings 'uninitialized'; require '/var/ipfire/general-functions.pl'; require "${General::swroot}/lang.pl"; require "${General::swroot}/header.pl"; -require "${General::swroot}/forward/bin/firewall-lib.pl"; +require "${General::swroot}/firewall/bin/firewall-lib.pl";

-unless (-d "${General::swroot}/forward") { system("mkdir ${General::swroot}/forward"); } -unless (-e "${General::swroot}/forward/settings") { system("touch ${General::swroot}/forward/settings"); } -unless (-e "${General::swroot}/forward/config") { system("touch ${General::swroot}/forward/config"); } -unless (-e "${General::swroot}/forward/input") { system("touch ${General::swroot}/forward/input"); } -unless (-e "${General::swroot}/forward/outgoing") { system("touch ${General::swroot}/forward/outgoing"); } +unless (-d "${General::swroot}/firewall") { system("mkdir ${General::swroot}/firewall"); } +unless (-e "${General::swroot}/firewall/settings") { system("touch ${General::swroot}/firewall/settings"); } +unless (-e "${General::swroot}/firewall/config") { system("touch ${General::swroot}/firewall/config"); } +unless (-e "${General::swroot}/firewall/input") { system("touch ${General::swroot}/firewall/input"); } +unless (-e "${General::swroot}/firewall/outgoing") { system("touch ${General::swroot}/firewall/outgoing"); }

my %fwdfwsettings=(); my %selected=() ; @@ -63,7 +63,7 @@ my %aliases=(); my %optionsfw=(); my %ifaces=();

-my @PROTOCOLS = ("TCP", "UDP", "ICMP", "IGMP", "AH", "ESP", "GRE"); +my @PROTOCOLS = ("TCP", "UDP", "ICMP", "IGMP", "AH", "ESP", "GRE","IPv6","IPIP");

my $color; my $confignet = "${General::swroot}/fwhosts/customnetworks"; @@ -75,9 +75,9 @@ my $configccdnet = "${General::swroot}/ovpn/ccd.conf"; my $configccdhost = "${General::swroot}/ovpn/ovpnconfig"; my $configipsec = "${General::swroot}/vpn/config"; my $configipsecrw = "${General::swroot}/vpn/settings"; -my $configfwdfw = "${General::swroot}/forward/config"; -my $configinput = "${General::swroot}/forward/input"; -my $configoutgoing = "${General::swroot}/forward/outgoing"; +my $configfwdfw = "${General::swroot}/firewall/config"; +my $configinput = "${General::swroot}/firewall/input"; +my $configoutgoing = "${General::swroot}/firewall/outgoing"; my $configovpn = "${General::swroot}/ovpn/settings"; my $fwoptions = "${General::swroot}/optionsfw/settings"; my $ifacesettings = "${General::swroot}/ethernet/settings"; @@ -87,7 +87,7 @@ my $ipgrp="${General::swroot}/outgoing/groups"; my $tdcolor=''; my $checkorange=''; my @protocols; -&General::readhash("${General::swroot}/forward/settings", %fwdfwsettings); +&General::readhash("${General::swroot}/firewall/settings", %fwdfwsettings); &General::readhash("${General::swroot}/main/settings", %mainsettings); &General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", %color); &General::readhash($fwoptions, %optionsfw); @@ -919,6 +919,18 @@ sub checkrule $fwdfwsettings{'ICMP_TYPES'}=''; $fwdfwsettings{'USESRV'}=''; $fwdfwsettings{'TGT_PORT'}=''; + }elsif($fwdfwsettings{'PROT'} eq 'IPv6'){ + $fwdfwsettings{'USE_SRC_PORT'}=''; + $fwdfwsettings{'SRC_PORT'}=''; + $fwdfwsettings{'ICMP_TYPES'}=''; + $fwdfwsettings{'USESRV'}=''; + $fwdfwsettings{'TGT_PORT'}=''; + }elsif($fwdfwsettings{'PROT'} eq 'IPIP'){ + $fwdfwsettings{'USE_SRC_PORT'}=''; + $fwdfwsettings{'SRC_PORT'}=''; + $fwdfwsettings{'ICMP_TYPES'}=''; + $fwdfwsettings{'USESRV'}=''; + $fwdfwsettings{'TGT_PORT'}=''; }elsif($fwdfwsettings{'PROT'} ne 'TCP' && $fwdfwsettings{'PROT'} ne 'UDP' && $fwdfwsettings{'PROT'} ne 'ICMP'){ $fwdfwsettings{'ICMP_TYPES'}=''; $fwdfwsettings{'PROT'} = ''; @@ -1718,17 +1730,25 @@ END print"<hr>"; &Header::closebox; #---PROTOCOL------------------------------------------------------ + $fwdfwsettings{'SRC_PORT'} =~ s/|/,/g; + $fwdfwsettings{'TGT_PORT'} =~ s/|/,/g; + $fwdfwsettings{'dnatport'} =~ tr/|/,/; + + # The dnatport may be empty, if it matches TGT_PORT + if ($fwdfwsettings{'dnatport'} eq $fwdfwsettings{'TGT_PORT'}) { + $fwdfwsettings{'dnatport'} = ""; + } + &Header::openbox('100%', 'left', $Lang::tr{'fwhost prot'}); #Fix Protocol for JQuery if ($fwdfwsettings{'grp3'} eq 'cust_srv' || $fwdfwsettings{'grp3'} eq 'cust_srvgrp'){ $fwdfwsettings{'PROT'} = 'template'; } print<<END; - <div id="prt"> - <table width='15%' border='0' style="float:left;"> + <table width='100%' border='0'> <tr> - <td> - <select name='PROT' id='protocol'> + <td width="25%"> + <select name='PROT' id='protocol' style="width: 95px;"> END print "<option value="""; if ($fwdfwsettings{'PROT'} eq '') { @@ -1745,21 +1765,22 @@ END if ($_ eq $fwdfwsettings{'PROT'}) { print " selected="selected""; } - print ">$_</option>"; + if($_ eq "IPv6"){ + print ">$Lang::tr{'fwdfw prot41'}</option>"; + }else{ + print ">$_</option>"; + } } + print<<END; </select> </td> - </tr> - </table> - </div> - - <div id="PROTOCOL_ICMP_TYPES"> - <table width='50%' border='0' style="float:left;"> - <tr> - <td width='20%'>$Lang::tr{'fwhost icmptype'}</td> - <td colspan='2'> - <select name='ICMP_TYPES' style='min-width:230px;'> + <td width="75%"> + <table width='100%' border='0' id="PROTOCOL_ICMP_TYPES"> + <tr> + <td width='20%'>$Lang::tr{'fwhost icmptype'}</td> + <td colspan='2'> + <select name='ICMP_TYPES' style='min-width:230px;'> END &General::readhasharray("${General::swroot}/fwhosts/icmp-types", %icmptypes); print"<option value='All ICMP-Types'>$Lang::tr{'fwdfw all icmp'}</option>"; @@ -1772,66 +1793,51 @@ END }

print <<END; - </select> - </td> - </tr> - </table> - </div> + </select> + </td> + </tr> + </table> + + <table width="100%" border="0" id="PROTOCOL_PORTS"> + <tr> + <!-- #SOURCEPORT --> + <td> + $Lang::tr{'fwdfw use srcport'} + </td> + <td> + <input type='text' name='SRC_PORT' value='$fwdfwsettings{'SRC_PORT'}' maxlength='20' size='18'> + </td> + <td width='10%'> + </td> + + <!-- #TARGETPORT --> + <td> + $Lang::tr{'fwdfw use srv'} + </td> + + <td> + <input type='text' name='TGT_PORT' value='$fwdfwsettings{'TGT_PORT'}' maxlength='20' size='18'> + </td> + </tr> + <tr class="NAT"> + <td colspan='3'></td> + <td>$Lang::tr{'fwdfw external port nat'}:</td> + <td> + <input type='text' name='dnatport' value="$fwdfwsettings{'dnatport'}" maxlength='20' size='18'> + </td> + </tr> + </table> + + <table width="100%" border="0" id="PROTOCOL_TEMPLATE"> + <tr> + <td> + <input type='radio' name='grp3' id='cust_srv' value='cust_srv' checked> + $Lang::tr{'fwhost cust service'} + </td> + <td> + <select name='cust_srv' style='min-width: 230px;'> END

- $fwdfwsettings{'SRC_PORT'} =~ s/|/,/g; - $fwdfwsettings{'TGT_PORT'} =~ s/|/,/g; - $fwdfwsettings{'dnatport'} =~ tr/|/,/; - - # The dnatport may be empty, if it matches TGT_PORT - if ($fwdfwsettings{'dnatport'} eq $fwdfwsettings{'TGT_PORT'}) { - $fwdfwsettings{'dnatport'} = ""; - } - - print <<END; - - <div id="PROTOCOL_PORTS"> - <table border="0"> - <tr> - <!-- #SOURCEPORT --> - <td> - $Lang::tr{'fwdfw use srcport'} - </td> - <td> - <input type='text' name='SRC_PORT' value='$fwdfwsettings{'SRC_PORT'}' maxlength='20' size='18'> - </td> - <td width='10%'> - </td> - - <!-- #TARGETPORT --> - <td> - $Lang::tr{'fwdfw use srv'} - </td> - - <td> - <input type='text' name='TGT_PORT' value='$fwdfwsettings{'TGT_PORT'}' maxlength='20' size='18'> - </td> - </tr> - <tr class="NAT"> - <td colspan='3'></td> - <td>$Lang::tr{'fwdfw external port nat'}:</td> - <td> - <input type='text' name='dnatport' value="$fwdfwsettings{'dnatport'}" maxlength='20' size='18'> - </td> - </tr> - </table> - </div> - - <div id="PROTOCOL_TEMPLATE"> - <table border="0"> - <tr> - <td> - <input type='radio' name='grp3' id='cust_srv' value='cust_srv' checked> - $Lang::tr{'fwhost cust service'} - </td> - <td> - <select name='cust_srv' style='min-width: 230px;'> -END &General::readhasharray("$configsrv", %customservice); foreach my $key (sort { ncmp($customservice{$a}[0],$customservice{$b}[0]) } keys %customservice){ print"<option "; @@ -1839,17 +1845,17 @@ END print"value='$customservice{$key}[0]'>$customservice{$key}[0]</option>"; }

- print<<END; - </select> - </td> - </tr> - <tr> - <td> - <input type='radio' name='grp3' id='cust_srvgrp' value='cust_srvgrp' $checked{'grp3'}{'cust_srvgrp'}> - $Lang::tr{'fwhost cust srvgrp'} - </td> - <td> - <select name='cust_srvgrp' style='min-width:230px;'> + print <<END; + </select> + </td> + </tr> + <tr> + <td> + <input type='radio' name='grp3' id='cust_srvgrp' value='cust_srvgrp' $checked{'grp3'}{'cust_srvgrp'}> + $Lang::tr{'fwhost cust srvgrp'} + </td> + <td> + <select name='cust_srvgrp' style='min-width:230px;'> END

&General::readhasharray("$configsrvgrp", %customservicegrp); @@ -1861,15 +1867,16 @@ END print">$customservicegrp{$key}[0]</option>"; } $helper=$customservicegrp{$key}[0]; - } + } + print<<END; - </select> + </select> + </td> + </tr> + </table> </td> </tr> </table> - </div> - - <br><br><br> END

&Header::closebox; @@ -2455,7 +2462,11 @@ END #Get Protocol my $prot; if ($$hash{$key}[8]){ - push (@protocols,$$hash{$key}[8]); + if ($$hash{$key}[8] eq "IPv6"){ + push (@protocols,$Lang::tr{'fwdfw prot41 short'}) + }else{ + push (@protocols,$$hash{$key}[8]); + } }elsif($$hash{$key}[14] eq 'cust_srv'){ &get_serviceports("service",$$hash{$key}[15]); }elsif($$hash{$key}[14] eq 'cust_srvgrp'){ @@ -2675,7 +2686,7 @@ END #SHOW FINAL RULE print "<table width='100%'rules='cols' border='1'>"; my $col; - if ($config eq '/var/ipfire/forward/config'){ + if ($config eq '/var/ipfire/firewall/config'){ my $pol='fwdfw '.$fwdfwsettings{'POLICY'}; if ($fwdfwsettings{'POLICY'} eq 'MODE1'){ $col="bgcolor='darkred'"; @@ -2683,7 +2694,7 @@ END $col="bgcolor='green'"; } &show_defaultrules($col,$pol); - }elsif ($config eq '/var/ipfire/forward/outgoing'){ + }elsif ($config eq '/var/ipfire/firewall/outgoing'){ if ($fwdfwsettings{'POLICY1'} eq 'MODE1'){ $col="bgcolor='darkred'"; print"<tr><td $col width='20%' align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'}</td><td $col align='center'><font color='#FFFFFF' >$Lang::tr{'fwdfw pol block'}</font></td></tr>"; @@ -2703,7 +2714,7 @@ END print "<b>$title1</b><br>"; print"<table width='100%' border='0' rules='none'><tr><td height='30' bgcolor=$color{'color22'} align='center'>$Lang::tr{'fwhost empty'}</td></tr></table>"; my $col; - if ($config eq '/var/ipfire/forward/config'){ + if ($config eq '/var/ipfire/firewall/config'){ my $pol='fwdfw '.$fwdfwsettings{'POLICY'}; if ($fwdfwsettings{'POLICY'} eq 'MODE1'){ $col="bgcolor='darkred'"; @@ -2711,7 +2722,7 @@ END $col="bgcolor='green'"; } &show_defaultrules($col,$pol); - }elsif ($config eq '/var/ipfire/forward/outgoing'){ + }elsif ($config eq '/var/ipfire/firewall/outgoing'){ print "<table width='100%' rules='cols' border='1'>"; my $pol='fwdfw '.$fwdfwsettings{'POLICY1'}; if ($fwdfwsettings{'POLICY1'} eq 'MODE1'){ diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index ebd1fdc..fd66a49 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -60,8 +60,8 @@ my $configccdhost = "${General::swroot}/ovpn/ovpnconfig"; my $configipsec = "${General::swroot}/vpn/config"; my $configsrv = "${General::swroot}/fwhosts/customservices"; my $configsrvgrp = "${General::swroot}/fwhosts/customservicegrp"; -my $fwconfigfwd = "${General::swroot}/forward/config"; -my $fwconfiginp = "${General::swroot}/forward/input"; +my $fwconfigfwd = "${General::swroot}/firewall/config"; +my $fwconfiginp = "${General::swroot}/firewall/input"; my $configovpn = "${General::swroot}/ovpn/settings"; my $tdcolor=''; my $configipsecrw = "${General::swroot}/vpn/settings"; diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi index 713f37f..9563aab 100644 --- a/html/cgi-bin/optionsfw.cgi +++ b/html/cgi-bin/optionsfw.cgi @@ -26,13 +26,13 @@ my %fwdfwsettings=(); my %configfwdfw=(); my %configoutgoingfw=();

-my $configfwdfw = "${General::swroot}/forward/config"; -my $configoutgoing = "${General::swroot}/forward/outgoing"; +my $configfwdfw = "${General::swroot}/firewall/config"; +my $configoutgoing = "${General::swroot}/firewall/outgoing"; my $errormessage = ''; my $warnmessage = ''; my $filename = "${General::swroot}/optionsfw/settings";

-&General::readhash("${General::swroot}/forward/settings", %fwdfwsettings); +&General::readhash("${General::swroot}/firewall/settings", %fwdfwsettings); &Header::showhttpheaders();

#Get GUI values @@ -41,7 +41,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { if ($settings{'defpol'} ne '1'){ $errormessage .= $Lang::tr{'new optionsfw later'}; &General::writehash($filename, %settings); # Save good settings - system("/usr/local/bin/forwardfwctrl"); + system("/usr/local/bin/firewallctrl"); }else{ if ($settings{'POLICY'} ne ''){ $fwdfwsettings{'POLICY'} = $settings{'POLICY'}; @@ -54,9 +54,9 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { %fwdfwsettings = (); $fwdfwsettings{'POLICY'} = "$MODE"; $fwdfwsettings{'POLICY1'} = "$MODE1"; - &General::writehash("${General::swroot}/forward/settings", %fwdfwsettings); - &General::readhash("${General::swroot}/forward/settings", %fwdfwsettings); - system("/usr/local/bin/forwardfwctrl"); + &General::writehash("${General::swroot}/firewall/settings", %fwdfwsettings); + &General::readhash("${General::swroot}/firewall/settings", %fwdfwsettings); + system("/usr/local/bin/firewallctrl"); } &General::readhash($filename, %settings); # Load good settings } diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index f012358..7eccf98 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -170,7 +170,7 @@ sub checkportfw { my $DPORT = shift; my $DPROT = shift; my %natconfig =(); - my $confignat = "${General::swroot}/forward/config"; + my $confignat = "${General::swroot}/firewall/config"; $DPROT= uc ($DPROT); &General::readhasharray($confignat, %natconfig); foreach my $key (sort keys %natconfig){ diff --git a/html/cgi-bin/p2p-block.cgi b/html/cgi-bin/p2p-block.cgi index bb0d0ae..aab2d3d 100755 --- a/html/cgi-bin/p2p-block.cgi +++ b/html/cgi-bin/p2p-block.cgi @@ -32,7 +32,7 @@ require "${General::swroot}/lang.pl"; require "${General::swroot}/header.pl";

my $errormessage = ''; -my $p2pfile = "${General::swroot}/forward/p2protocols"; +my $p2pfile = "${General::swroot}/firewall/p2protocols";

my @p2ps = (); my %fwdfwsettings = (); diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index ce48d69..92847ca 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -963,6 +963,8 @@ 'fwdfw pol text' => 'Firewall-Standardverhalten für Verbindungen aus lokalen Netzwerken: Alle Verbindungen können entweder zugelassen oder geblockt werden, wenn keine Ausnahmeregel zutrifft. "Blockiert" trennt ebenfalls die Kommunikation zwischen den lokalen Netzwerken.', 'fwdfw pol text1' => 'Firewall-Standardverhalten für von der Firewall selbst initiierte Verbindungen.', 'fwdfw pol title' => 'Standardverhalten der Firewall', +'fwdfw prot41' => 'IPv6 Encapsulation (Protokoll 41)', +'fwdfw prot41 short' => 'IPv6 Encap', 'fwdfw red' => 'ROT', 'fwdfw reread' => 'Änderungen übernehmen', 'fwdfw rule action' => 'Regelaktion:', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index c3e4c3e..2d36cdb 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -988,6 +988,8 @@ 'fwdfw pol text' => 'Sets the default firewall behaviour for connections from local networks. You may either allow all new connections or block them by default. Connections between the local networks are also blocked in the latter mode.', 'fwdfw pol text1' => 'Sets the default firewall behaviour for connections initiated by the firewall itself. Attention! You may lock yourself out.', 'fwdfw pol title' => 'Default firewall behaviour', +'fwdfw prot41' => 'IPv6 Encapsulation (Protocol 41)', +'fwdfw prot41 short' => 'IPv6 Encap', 'fwdfw red' => 'RED', 'fwdfw reread' => 'Apply changes', 'fwdfw rule action' => 'Rule action:', diff --git a/lfs/configroot b/lfs/configroot index 555c782..f73453d 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -51,7 +51,7 @@ $(TARGET) :

# Create all directories for i in addon-lang auth backup ca certs connscheduler crls ddns dhcp dhcpc dns dnsforward \ - ethernet extrahd/bin fwlogs fwhosts forward forward/bin isdn key langs logging mac main \ + ethernet extrahd/bin fwlogs fwhosts firewall firewall/bin isdn key langs logging mac main \ menu.d modem net-traffic net-traffic/templates nfs optionsfw \ ovpn patches pakfire portfw ppp private proxy/advanced/cre \ proxy/calamaris/bin qos/bin red remote sensors snort time tripwire/report \ @@ -64,7 +64,7 @@ $(TARGET) : for i in auth/users backup/include.user backup/exclude.user \ certs/index.txt ddns/config ddns/noipsettings ddns/settings ddns/ipcache dhcp/settings \ dhcp/fixleases dhcp/advoptions dhcp/dhcpd.conf.local dns/settings dnsforward/config ethernet/aliases ethernet/settings ethernet/known_nics ethernet/scanned_nics \ - ethernet/wireless extrahd/scan extrahd/devices extrahd/partitions extrahd/settings forward/settings forward/config forward/input forward/outgoing forward/dmz forward/nat \ + ethernet/wireless extrahd/scan extrahd/devices extrahd/partitions extrahd/settings firewall/settings firewall/config firewall/input firewall/outgoing \ fwhosts/customnetworks fwhosts/customhosts fwhosts/customgroups fwhosts/customservicegrp fwlogs/ipsettings fwlogs/portsettings \ isdn/settings mac/settings main/disable_nf_sip main/hosts main/routing main/settings net-traffic/settings optionsfw/settings \ ovpn/ccd.conf ovpn/ccdroute ovpn/ccdroute2 pakfire/settings portfw/config ppp/settings-1 ppp/settings-2 ppp/settings-3 ppp/settings-4 \ @@ -99,14 +99,14 @@ $(TARGET) : cp $(DIR_SRC)/config/cfgroot/useragents $(CONFIG_ROOT)/proxy/advanced cp $(DIR_SRC)/config/cfgroot/ethernet-vlans $(CONFIG_ROOT)/ethernet/vlans cp $(DIR_SRC)/langs/list $(CONFIG_ROOT)/langs/ - cp $(DIR_SRC)/config/forwardfw/rules.pl $(CONFIG_ROOT)/forward/bin/rules.pl - cp $(DIR_SRC)/config/forwardfw/convert-xtaccess /usr/sbin/convert-xtaccess - cp $(DIR_SRC)/config/forwardfw/convert-outgoingfw /usr/sbin/convert-outgoingfw - cp $(DIR_SRC)/config/forwardfw/convert-dmz /usr/sbin/convert-dmz - cp $(DIR_SRC)/config/forwardfw/convert-portfw /usr/sbin/convert-portfw - cp $(DIR_SRC)/config/forwardfw/p2protocols $(CONFIG_ROOT)/forward/p2protocols - cp $(DIR_SRC)/config/forwardfw/firewall-lib.pl $(CONFIG_ROOT)/forward/bin/firewall-lib.pl - cp $(DIR_SRC)/config/forwardfw/firewall-policy /usr/sbin/firewall-policy + cp $(DIR_SRC)/config/firewall/rules.pl $(CONFIG_ROOT)/firewall/bin/rules.pl + cp $(DIR_SRC)/config/firewall/convert-xtaccess /usr/sbin/convert-xtaccess + cp $(DIR_SRC)/config/firewall/convert-outgoingfw /usr/sbin/convert-outgoingfw + cp $(DIR_SRC)/config/firewall/convert-dmz /usr/sbin/convert-dmz + cp $(DIR_SRC)/config/firewall/convert-portfw /usr/sbin/convert-portfw + cp $(DIR_SRC)/config/firewall/p2protocols $(CONFIG_ROOT)/firewall/p2protocols + cp $(DIR_SRC)/config/firewall/firewall-lib.pl $(CONFIG_ROOT)/firewall/bin/firewall-lib.pl + cp $(DIR_SRC)/config/firewall/firewall-policy /usr/sbin/firewall-policy cp $(DIR_SRC)/config/fwhosts/icmp-types $(CONFIG_ROOT)/fwhosts/icmp-types cp $(DIR_SRC)/config/fwhosts/customservices $(CONFIG_ROOT)/fwhosts/customservices # Oneliner configfiles @@ -130,11 +130,11 @@ $(TARGET) : echo "SHOWDROPDOWN=off" >> $(CONFIG_ROOT)/optionsfw/settings echo "DROPWIRELESSINPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings echo "DROPWIRELESSFORWARD=on" >> $(CONFIG_ROOT)/optionsfw/settings - echo "POLICY=MODE2" >> $(CONFIG_ROOT)/forward/settings - echo "POLICY1=MODE2" >> $(CONFIG_ROOT)/forward/settings + echo "POLICY=MODE2" >> $(CONFIG_ROOT)/firewall/settings + echo "POLICY1=MODE2" >> $(CONFIG_ROOT)/firewall/settings # set rules.pl executable - chmod 755 $(CONFIG_ROOT)/forward/bin/rules.pl + chmod 755 $(CONFIG_ROOT)/firewall/bin/rules.pl # set converters executable chmod 755 /usr/sbin/convert-* diff --git a/lfs/initscripts b/lfs/initscripts index 0b2dbee..eae451b 100644 --- a/lfs/initscripts +++ b/lfs/initscripts @@ -179,7 +179,7 @@ $(TARGET) :

ln -sf ../../dnsmasq /etc/rc.d/init.d/networking/red.up/05-RS-dnsmasq ln -sf ../../firewall /etc/rc.d/init.d/networking/red.up/20-RL-firewall - ln -sf ../../../../../usr/local/bin/forwardfwctrl \ + ln -sf ../../../../../usr/local/bin/firewallctrl \ /etc/rc.d/init.d/networking/red.up/22-forwardfwctrl ln -sf ../../../../../usr/local/bin/snortctrl \ /etc/rc.d/init.d/networking/red.up/23-RS-snort diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index fc49da4..36d7e44 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -223,7 +223,7 @@ iptables_init() { /usr/sbin/firewall-policy

# read new firewall - /usr/local/bin/forwardfwctrl + /usr/local/bin/firewallctrl

if [ "$DROPINPUT" == "on" ]; then /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT" diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile index c748a66..b447435 100644 --- a/src/misc-progs/Makefile +++ b/src/misc-progs/Makefile @@ -27,7 +27,7 @@ PROGS = iowrap SUID_PROGS = squidctrl sshctrl ipfirereboot \ ipsecctrl timectrl dhcpctrl snortctrl \ applejuicectrl rebuildhosts backupctrl \ - logwatch openvpnctrl forwardfwctrl \ + logwatch openvpnctrl firewallctrl \ wirelessctrl getipstat qosctrl launch-ether-wake \ redctrl syslogdctrl extrahdctrl sambactrl upnpctrl tripwirectrl \ smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \ @@ -86,8 +86,8 @@ smartctrl: smartctrl.c setuid.o ../install+setup/libsmooth/varval.o clamavctrl: clamavctrl.c setuid.o ../install+setup/libsmooth/varval.o $(COMPILE) -I../install+setup/libsmooth/ clamavctrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@

-forwardfwctrl: forwardfwctrl.c setuid.o ../install+setup/libsmooth/varval.o - $(COMPILE) -I../install+setup/libsmooth/ forwardfwctrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@ +firewallctrl: firewallctrl.c setuid.o ../install+setup/libsmooth/varval.o + $(COMPILE) -I../install+setup/libsmooth/ firewallctrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@

timectrl: timectrl.c setuid.o ../install+setup/libsmooth/varval.o $(COMPILE) -I../install+setup/libsmooth/ timectrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@ diff --git a/src/misc-progs/firewallctrl.c b/src/misc-progs/firewallctrl.c new file mode 100644 index 0000000..97de271 --- /dev/null +++ b/src/misc-progs/firewallctrl.c @@ -0,0 +1,25 @@ +/* This file is part of the IPFire Firewall. + * + * This program is distributed under the terms of the GNU General Public + * Licence. See the file COPYING for details. + * + */ + +#include <unistd.h> + +#include "setuid.h" + +int main(int argc, char *argv[]) { + if (!(initsetuid())) + exit(1); + + int retval = safe_system("/var/ipfire/firewall/bin/rules.pl"); + + /* If rules.pl has been successfully executed, the indicator + * file is removed. */ + if (retval == 0) { + unlink("/var/ipfire/firewall/reread"); + } + + return 0; +} diff --git a/src/misc-progs/forwardfwctrl.c b/src/misc-progs/forwardfwctrl.c deleted file mode 100644 index 9f3f28e..0000000 --- a/src/misc-progs/forwardfwctrl.c +++ /dev/null @@ -1,25 +0,0 @@ -/* This file is part of the IPFire Firewall. - * - * This program is distributed under the terms of the GNU General Public - * Licence. See the file COPYING for details. - * - */ - -#include <unistd.h> - -#include "setuid.h" - -int main(int argc, char *argv[]) { - if (!(initsetuid())) - exit(1); - - int retval = safe_system("/var/ipfire/forward/bin/rules.pl"); - - /* If rules.pl has been successfully executed, the indicator - * file is removed. */ - if (retval == 0) { - unlink("/var/ipfire/forward/reread"); - } - - return 0; -}

hooks/post-receive -- IPFire 2.x development tree